This week we have three vendor disclosures for products from
B&R Automation, Moxa and Rockwell Automation. There are also two sets of
researcher reports for products from Advantech and Universal Robots.
B&R Advisory
B&R published an
advisory describing three vulnerabilities in their Automation Studio. The vulnerabilities
were reported by Yehuda Anikster and Amir Preminger from Claroty. B&R has
updates that mitigate the vulnerabilities. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The three reported vulnerabilities are:
• Privilege escalation – CVE-2019-19100;
• Incomplete communication
encryption and validation CVE-2019-19101;
• Zip Slip
vulnerability (third-party vulnerability) CVE-2019-19102
Moxa Advisory
Moxa published an
advisory on the kr00k
vulnerability in their products. They report that none of their products are
affected.
NOTE: Negative reports about 3rd party
vulnerabilities are just as important as reporting an active vulnerability in a
product.
Rockwell Advisory
Rockwell published an
advisory describing a file permission vulnerability in their Current
Program Updater software. The vulnerability was reported by Reid Wightman from
Dragos. Rockwell has new versions that mitigate the vulnerability. There is no
indication that Reid has been provided an opportunity to verify the efficacy of
the fix.
NOTE: Rockwell is reporting a 2017 CVE (CVE-2017-5176) for
this vulnerability. That vulnerability was
reported by ICS-CERT on March 21st, 2017. If NCCIC-ICS were to
pick up this advisory it would probably be as an update to that earlier
advisory.
Advantech Reports
The Zero Day Initiative published five related reports (here,
here,
here,
here,
and here)
for 0-day arbitrary file deletion vulnerabilities in the Advantech WebAccess
program. The vulnerabilities were reported by Natnael Samson. ZDI reports that
it has reported all five vulnerabilities to Advantech and ICS-CERT (their
naming not mine) noting: “The vendor communicated that they will rely on
existing measures and will add no amendments to the code.”
Universal Robots Reports
Aliasrobotics published
four reports of vulnerabilities for products from Universal Robots. The vulnerabilities
were reported by rvd-bot, bedieber and bbreilin. Aliasrobotics reportedly
contacted Universal Robots about these vulnerabilities but has received no replies.
The four reported vulnerabilities are (links are to github
pages which include proof-of-concept exploit code):
• Missing encryption of sensitive
data - CVE-2020-10267;
• Missing authentication for
critical function - CVE-2020-10265;
• Insufficient verification of data
authenticity - CVE-2020-10266;
and
• Exposure of sensitive information
to unauthorized actor - CVE-2020-10264
Posts
No comments:
Post a Comment