Public ICS Disclosures – Week of 5-23-20

This week we have 11 vendor disclosure for products from SWARCO Traffic Systems, Bosch, ABB (8), and Belden. There are also two updated vendor disclosures from Johnson Controls and Belden.

SWARCO Advisory

INCIBE-CERT published an advisory describing an inadequate access control vulnerability on the SWARCO LS4000 CPU. The vulnerability was reported by Martin Aman, from the company ProtectEM. SWARCO has a patch that mitigates the vulnerability. There is no indication that Aman was provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch has published an advisory describing four vulnerabilities in their Bosch Recording Station (BRS). The vulnerabilities are apparently self-reported. Bosch provides generic work arounds and recommends a new product upgrade.

The four reported vulnerabilities are:

• EternalBlue - CVE-2017-0144,

• BlueKeep - CVE-2019-0708,

• Improper access control - CVE-2020-6774, and

• Lack of full disc encryption – (no CVE)

ABB Advisories

ABB published eight advisories dealing with the effects of the Urgent/11 vulnerabilities on specific product lines. ABB initially published a series of initial reports on the UGRGENT/11 vulnerabilities back in July of last year and those were referenced in the NCCIC-ICS URGENT/11 advisory. At that time ABB was only able to provide generic workarounds for the vulnerabilities. This week’s advisories provide more specific mitigation measures:

• CI845 – new version,

• FOX615 Multiservice-Multiplexer – new version,

• Relion 670, Relion 650, SAM600-IO series – new versions,

• AFS66x – new version,

• NSD570 Teleprotection Equipment – new versions,

• ETL600 Power Line Carrier System – new version,

• REB500 – new version, and

• RTU500 series – new versions

Belden Advisory

Belden published an advisory describing a buffer overflow vulnerability in the Linux Point-to-Point Protocol (PPP) daemon in the Belden Hirschman OWL devices. This vulnerability is apparently self-reported. Belden has a new version that mitigates the vulnerability.

NOTE: There are a number of proof-of-concept exploits (see here for example) available for this vulnerability.

Johnson Controls Update

Johnson Controls published an update for an advisory that was originally published on May 21^st, 2020. The new information includes:

• Updated affected version information for the C•CURE 9000, and

• More detailed mitigation instructions

Belden Update

Belden published an update for an advisory that was originally published on February 14^th, 2020 and most recently updated on February 26^th, 2020. The new information includes a CVE identifier (with link) for the vulnerability.