Saturday, May 9, 2020

Public ICS Disclosure – Week of 5-2-20


This week we have one vendor disclosure from 3S and one researcher report for products also from 3S. I also look at a series of Zero Day Initiative reports on the Advantech vulnerabilities that were reported by NCCIC-ICS earlier this week.

3S Advisories


3S published an advisory [.PDF download link] describing a privilege escalation vulnerability in their CODESYS visualization application. The vulnerability is self-reported. 3S has new version that mitigates the vulnerability.

Talos published a report describing an insufficient verification of data authenticity vulnerability in the 3S Control SoftPLC runtime system. Talos reports that this is a coordinated disclosure, but there is currently no advisory for this vulnerability on the 3S Security Advisory list. The Talos report includes proof-of-concept exploit code

Advantech Advisories


Earlier this week NCCIC-ICS published an advisory that reported eight vulnerabilities in the Advantech Web Access Node. All of those vulnerabilities were reported to NCCIC-ICS by Natnael Samson and Z0mb1E via the Zero Day Initiative. Later this week ZDI published their supporting reports. ZDI published multiple reports for the two buffer-overflow vulnerabilities that NCCIC-ICS reported under a single CVE#s: CVE-2020-12002 and CVE-2020-10638. For both CVE’s, NCCIC-ICS reported that there were ‘multiple’ individual vulnerabilities.

For the Stack-based buffer overflows, CVE-2020-12002, ZDI reports the following individual vulnerabilities:

DATACORE IOCTL 0x00005241 Stack-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x0000791e Directory Traversal Remote Code Execution Vulnerability,
DATACORE IOCTL 0x00005227 Stack-based Buffer Overflow Remote Code Execution Vulnerability,
BacNetDrvJ Stack-based Buffer Overflow Remote Code Execution Vulnerability,
GpsET200 Stack-based Buffer Overflow Remote Code Execution Vulnerability,
OPCUA Stack-based Buffer Overflow Remote Code Execution Vulnerability,
SyntecUA Stack-based Buffer Overflow Remote Code Execution Vulnerability,
BwBacNetJ Stack-based Buffer Overflow Remote Code Execution Vulnerability, and
BwBacNetJ Stack-based Buffer Overflow Remote Code Execution Vulnerability

For the Heap-based buffer overflows, CVE-2020-10638, ZDI reports the following individual vulnerabilities:

DATACORE IOCTL 0x0000791c Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x0000791e Integer Overflow Remote Code Execution Vulnerability,
DrawSrv IOCTL 0x00002723 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
BwWebSvc IOCTL 0x00013c77 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
BwTCPIP Heap-based Buffer Overflow Remote Code Execution Vulnerability, and
ViewSrv IOCTL 0x00002723 Heap-based Buffer Overflow Remote Code Execution Vulnerability

ZDI also published advisories for the same product that were not covered by any of the CVE’s listed in the NCCIC-ICS advisory. They include:

IOCTL 0x2711 bwscrp Stack-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5217 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5218 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x521B Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x520B Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5213 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5208 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5209 Heap-based Buffer Overflow Remote Code Execution Vulnerability, and
DATACORE IOCTL 0x520B Heap-based Buffer Overflow Remote Code Execution Vulnerability

With the listing of the individual affected file names it looks like some of the vulnerabilities may be from third-party vendor supplied files.

1 comment:

Jake Brodsky said...

The folk at 3S are getting better about security issues. But Advantech still can't seem to get their act together.

Even if security weren't a concern, I'd be worried about overall software quality control with Advantech.

 
/* Use this with templates/template-twocol.html */