Saturday, April 11, 2020

Public ICS Disclosures -Week of 4-4-20

This week we have three vendor disclosures for products from B&R Automation, Moxa and Rockwell Automation. There are also two sets of researcher reports for products from Advantech and Universal Robots.

B&R Advisory

B&R published an advisory describing three vulnerabilities in their Automation Studio. The vulnerabilities were reported by Yehuda Anikster and Amir Preminger from Claroty. B&R has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Privilege escalation – CVE-2019-19100;
• Incomplete communication encryption and validation CVE-2019-19101;
Zip Slip vulnerability (third-party vulnerability) CVE-2019-19102

Moxa Advisory

Moxa published an advisory on the kr00k vulnerability in their products. They report that none of their products are affected.

NOTE: Negative reports about 3rd party vulnerabilities are just as important as reporting an active vulnerability in a product.

Rockwell Advisory

Rockwell published an advisory describing a file permission vulnerability in their Current Program Updater software. The vulnerability was reported by Reid Wightman from Dragos. Rockwell has new versions that mitigate the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

NOTE: Rockwell is reporting a 2017 CVE (CVE-2017-5176) for this vulnerability. That vulnerability was reported by ICS-CERT on March 21st, 2017. If NCCIC-ICS were to pick up this advisory it would probably be as an update to that earlier advisory.

Advantech Reports

The Zero Day Initiative published five related reports (here, here, here, here, and here) for 0-day arbitrary file deletion vulnerabilities in the Advantech WebAccess program. The vulnerabilities were reported by Natnael Samson. ZDI reports that it has reported all five vulnerabilities to Advantech and ICS-CERT (their naming not mine) noting: “The vendor communicated that they will rely on existing measures and will add no amendments to the code.”

Universal Robots Reports

Aliasrobotics published four reports of vulnerabilities for products from Universal Robots. The vulnerabilities were reported by rvd-bot, bedieber and bbreilin. Aliasrobotics reportedly contacted Universal Robots about these vulnerabilities but has received no replies.

The four reported vulnerabilities are (links are to github pages which include proof-of-concept exploit code):

• Missing encryption of sensitive data - CVE-2020-10267;
• Missing authentication for critical function - CVE-2020-10265;
• Insufficient verification of data authenticity - CVE-2020-10266; and
• Exposure of sensitive information to unauthorized actor - CVE-2020-10264

No comments:

/* Use this with templates/template-twocol.html */