Public ICS Disclosure – Week of 5-2-20

This week we have one vendor disclosure from 3S and one researcher report for products also from 3S. I also look at a series of Zero Day Initiative reports on the Advantech vulnerabilities that were reported by NCCIC-ICS earlier this week.

3S Advisories

3S published an advisory [.PDF download link] describing a privilege escalation vulnerability in their CODESYS visualization application. The vulnerability is self-reported. 3S has new version that mitigates the vulnerability.

Talos published a report describing an insufficient verification of data authenticity vulnerability in the 3S Control SoftPLC runtime system. Talos reports that this is a coordinated disclosure, but there is currently no advisory for this vulnerability on the 3S Security Advisory list. The Talos report includes proof-of-concept exploit code

Advantech Advisories

Earlier this week NCCIC-ICS published an advisory that reported eight vulnerabilities in the Advantech Web Access Node. All of those vulnerabilities were reported to NCCIC-ICS by Natnael Samson and Z0mb1E via the Zero Day Initiative. Later this week ZDI published their supporting reports. ZDI published multiple reports for the two buffer-overflow vulnerabilities that NCCIC-ICS reported under a single CVE#s: CVE-2020-12002 and CVE-2020-10638. For both CVE’s, NCCIC-ICS reported that there were ‘multiple’ individual vulnerabilities.

For the Stack-based buffer overflows, CVE-2020-12002, ZDI reports the following individual vulnerabilities:

• DATACORE IOCTL 0x00005241 Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x0000791e Directory Traversal Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x00005227 Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• BacNetDrvJ Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• GpsET200 Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• OPCUA Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• SyntecUA Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• BwBacNetJ Stack-based Buffer Overflow Remote Code Execution Vulnerability, and

• BwBacNetJ Stack-based Buffer Overflow Remote Code Execution Vulnerability

For the Heap-based buffer overflows, CVE-2020-10638, ZDI reports the following individual vulnerabilities:

• DATACORE IOCTL 0x0000791c Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x0000791e Integer Overflow Remote Code Execution Vulnerability,

• DrawSrv IOCTL 0x00002723 Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• BwWebSvc IOCTL 0x00013c77 Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• BwTCPIP Heap-based Buffer Overflow Remote Code Execution Vulnerability, and

• ViewSrv IOCTL 0x00002723 Heap-based Buffer Overflow Remote Code Execution Vulnerability

ZDI also published advisories for the same product that were not covered by any of the CVE’s listed in the NCCIC-ICS advisory. They include:

• IOCTL 0x2711 bwscrp Stack-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x5217 Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x5218 Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x521B Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x520B Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x5213 Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x5208 Heap-based Buffer Overflow Remote Code Execution Vulnerability,

• DATACORE IOCTL 0x5209 Heap-based Buffer Overflow Remote Code Execution Vulnerability, and

• DATACORE IOCTL 0x520B Heap-based Buffer Overflow Remote Code Execution Vulnerability

With the listing of the individual affected file names it looks like some of the vulnerabilities may be from third-party vendor supplied files.