2 Advisories and 7 Updates Published

Yesterday the CISA NCCIC-ICS published two control system security advisories for products from OSIsoft and Eaton. They also updated previously published advisories for products from 3S, Interpeak, and Siemens (5).

OSIsoft Advisory

This advisory describes ten vulnerabilities in the OSIsoft PI System. The vulnerabilities were reported by William Knowles at Applied Risk. OSIsoft provides workarounds to mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix. Applied Risk has verified that Knowles was provided an opportunity to verify the efficacy of the fix (see https://chemical-facility-security-news.blogspot.com/2020/05/verifying-fixes.html) [5-14-20 8:00 EDT]

The ten reported vulnerabilities are:

• Uncontrolled search path element - CVE-2020-10610,

• Improper verification of cryptographic key - CVE-2020-10608,

• Incorrect default permissions - CVE-2020-10606,

• Uncaught exception - CVE-2020-10604,

• Null pointer dereference (2) - CVE-2020-10602 and CVE-2020-10600,

• Improper input validation - CVE-2019-10768,

• Cross-site scripting (2) - CVE-2020-10600 and CVE-2020-10614, and

• Insertion of sensitive information into log file - CVE-2019-18244

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to access unauthorized information, delete or modify local processes, and crash the affected device.

Eaton Advisory

This advisory describes two vulnerabilities in the Eaton Intelligent Power Manager software monitoring and management platform. The vulnerability was reported by Sivathmican Sivakumaran of Trend Micro’s Zero Day Initiative. Eaton has a new version that mitigates the vulnerability. There is no indication that Sivakumaran has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2020-6651, and

• Incorrect privilege assignment - CVE-2020-6652

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to perform command injection or code execution and allow non-administrator users to manipulate the system configurations.

3S Update

This update provides additional information for an advisory that was originally reported on September 12^th, 2019. The new information includes a link to an even newer version that more completely mitigates the vulnerability.

NOTE: This is part of the reason that advocate for the researchers that discovered the vulnerability being provided a specific opportunity to verify the efficacy of the reported fix.

Interpeak Update

This update provides additional information for the Urgent/11 advisory that was originally published on October 1^st, 2019 and most recently updated on February 18^th, 2020. The new information includes a link to the new Siemens Power Meters advisory that was published today.

SIPROTEC Update

This update provides additional information for an advisory that was originally published on July 9^th, 2019 and most recently updated on December 10^th, 2019. The new information includes affected version numbers and mitigation links for SIPROTEC 5 device types 7SS85 and 7KE85.

SINAMICS Update

This update provides additional information for an advisory that was originally published on August 15^th, 2019 and most recently updated on December 10^th, 2019. . The new information includes affected version numbers and mitigation links for SINAMICS SL150 V4.8.

SIMATIC Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on April 14^th, 2020. The new information includes affected version numbers and mitigation links for SIMATIC NET PC Software.

KTK Update

This update provides additional information for an advisory that was originally published on April 14^th, 2020. The new information includes the addition of the SIMATIC S7-400 H V6 CPU family to the list of affected products.

RUGGEDCOM Update

This update provides additional information for an advisory that was originally published on April 14^th, 2020. The new information includes the removal of  IE/PB-Link V3 from the list of affected products.

Other Advisories

Siemens published one additional update that was not covered by NCCIC-ICS yesterday. I will address that on Saturday.

Schneider has also joined the 2^nd Tuesday patch club. They published 3 new advisories and 4 updates that I will also address on Saturday.