Public ICS Disclosures – Week of 04-11-20

This week we have five vendor disclosures for products from Schneider (4) and OPC Foundation. We also have nine updated advisories for products from Schneider (4) and Siemens (5).

Schneider Advisories

Schneider published an advisory describing an injection vulnerability in their Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic products. The vulnerability was reported by Seok Min Lim and Johnny Pan of Trustwave. Schneider has updated software and firmware that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two vulnerabilities in their Modicon M218/M241/M251/M258 Logic Controllers, SoMachine & SoMachine Motion, and EcoStruxure Machine Expert products. The vulnerabilities were reported by Rongkuan Ma, Shunkai Zhu and Peng Cheng of 307Lab. Schneider has new versions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Insufficient verification of data authenticity - CVE-2020-7487; and

• Clear-text transmission of sensitive data - CVE-2020-7488

Schneider published an advisory describing an untrusted search path vulnerability in their Vijeo Designer and Vijeo Designer Basic Software products. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing four vulnerabilities in their legacy Triconex product. These vulnerabilities are self-reported. Schneider reports that newer versions corrected the vulnerabilities.

The four reported vulnerabilities are:

• Password vulnerability (2) - CVE-2020-7483 and CVE-2020-7484;

• Improper access - CVE-2020-7485; and

• Denial of service - CVE-2020-7486

OPC Foundation Advisory

OPC published an advisory describing an malformed message vulnerability in their UA .NET Standard Stack. The vulnerability was reported by Steven Seeley (mr_me) and Chris Anastasio (muffin) via the Zero Day Initiative. OPC has updates available that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Updates

Schneider has published an update for their Urgent/11 advisory that was originally published on August 2^nd, 2019 and most recently updated on March 11^th, 2020. The new information includes updated mitigation information for:

• ION7400 MID; and

• PM8000 MID

Schneider has published an update for their Modicon Controllers advisory that was originally published on November 12^th, 2019. The new information includes the addition of a new hard-coded credentials vulnerability - CVE-2019-6859.

Schneider has published an update for their Andover Continuum advisory that was originally published on March 10^th, 2020. The updated information includes an explanation that the code injection vulnerability is a third-party MS-XML library vulnerability.

Schneider has published an update for their Modicon Controllers advisory that was originally published on December 10^th, 2019. The updated information includes:

• Adding Modicon M340 and M580 to affected product list;

• Adding a hotfix link and adding further details to the mitigation measures;

• Adding updated firmware links; and

• Adding Enrique Murias Fernández of Tecdesoft Automation to the acknowledgements.

Siemens Updates

Siemens published an update for an advisory for Intel CPUs that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET 200SP Open Controller CPU 1515SP PC2.

Siemens published an update for an advisory for Industrial Products that was originally published on January 14^th, 2020. The new information includes explicitly mentioning old versions of SIMATIC NET.

Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27^th, 2018 and most recently updated on February 11^th, 2020. The new information includes adding the following new vulnerabilities:

• CVE-2015-5895;

• CVE-2019-19447;

• CVE-2019-19603;

• CVE-2019-19645,

• CVE-2019-19646;

• CVE-2019-19880;

• CVE-2019-19923;

• CVE-2019-19924;

• CVE-2019-19925;

• CVE-2019-19926;

• CVE-2019-19959;

• CVE-2019-20218;

• CVE-2020-8428;

• CVE-2020-8492;

• CVE-2020-9327;

• CVE-2020-10029; and

• CVE-2020-10942

Siemens published an update for their SIMATIC advisory that was originally published on July 30^th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: ICS-CERT published advisory ICSA-12-212-02 covering this vulnerability, but has not yet updated (and may not update) that advisory.

Siemens published an update for their SIMATIC advisory that was originally published on July 30^th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: This advisory was lumped into the ICS-CERT advisory described above.