This week we have five vendor disclosures for products from
Schneider (4) and Rockwell as well as six vendor updates from Schneider (5) and
Siemens. We also have two researcher reports of vulnerabilities in products
from Advantech.
Schneider Advisories
Schneider published an
advisory describing a weak password requirement vulnerability in their Pro-face
GP-Pro EX Programming Software product. The vulnerability was reported by Kirill
Kruglov of Kaspersky Labs. Schneider has a new version that mitigates the
vulnerability. There is no indication that Krublov has been provided an opportunity
to verify the efficacy of the fix.
Schneider published an
advisory describing a use of hard-coded credentials vulnerability in their Vijeo
Designer Basic and Vijeo Designer software products. The vulnerability was
reported by Jie Chen of NSFOCUS. Schneider has a HotFix available to mitigate
the vulnerability. There is no indication that Jie has been provided an
opportunity to verify the efficacy of the fix.
Schneider published an
advisory describing two vulnerabilities in their U.motion servers and touch
panel products. The vulnerabilities were reported by Rgod and Zhu Jiaqi.
Schneider has a new version that mitigates the vulnerabilities. There is no
indication that the researchers have been provided an opportunity to verify the
efficacy of the fix.
The two reported vulnerabilities are:
• Improper access control - CVE-2020-7499,
and
• SQL injection - CVE-2020-7500
Schneider published an
advisory describing five vulnerabilities in their EcoStruxure™ Operator
Terminal Expert product. The vulnerabilities were reported by Steven Seeley and
Chris Anastasio of Incite Team, Sharon Brizinov and Amir Preminger of Claroty
Research via the Zero Day Initiative (see here, here, and here), and Fredrik
Østrem, Emil Sandstø, and Cim Stordal of Cognite. Schneider has a new version
that mitigates four of the five vulnerabilities. There is no indication that
the researchers have been provided an opportunity to verify the efficacy of the
fix.
The five reported vulnerabilities are:
• SQL command injection - CVE-2020-7493,
• Path traversal (3) - CVE-2020-7494,
CVE-2020-7495, and CVE-2020-7497, and
• Argument injection or
modification - CVE-2020-7496
Rockwell Advisory
Rockwell published an
advisory describing five vulnerabilities in multiple Rockwell Automation software
products. These are third-party vulnerabilities from OSIsoft components used in
the Rockwell products. These vulnerabilities are self-identified. Rockwell
provides workarounds to mitigate the vulnerabilities.
The five reported vulnerabilities are:
• Local privilege escalation via
uncontrolled search path element - CVE-2020-10610,
• Local privilege escalation via
improper verification of cryptographic key - CVE-2020-10608,
• Local privilege escalation via incorrect
default permissions - CVE-2020-10606,
• Null pointer dereference - CVE-2020-10600,
and
• Use of out-of-range pointer
offset may lead to remote code execution - CVE-2020-10645
NOTE: These are five of the ten vulnerabilities in the OSIsoft
PI System that were
reported by NCCIC-ICS earlier this week. The fact that this Rockwell Advisory
was published on the same day as the NCCIC-ICS advisory indicates that there
was pre-disclosure coordination between OSIsoft and Rockwell, good show.
Advantech Advisories
The Zero Day Initiative published advisories (see links
below) describing two vulnerabilities in Advantech WebAccess Node. ZDI
published the two advisories as 0-day notifications under their 120-day
response rule. NCCIC-ICS was reported involved in the coordination of these vulnerabilities.
The vulnerabilities were reported by Z0mb1E.
The two reported vulnerabilities are:
• DATACORE Stack-based Buffer
Overflow Remote Code Execution Vulnerability - ZDI-20-654,
and
• Incorrect Permission Assignment
Privilege Escalation Vulnerability - ZDI-20-655
Schneider Updates
Schneider published an
update for the Urgent/11 advisory
that was originally
published on August 11th, 2019 and most
recently updated on April 14th, 2020. The new information
includes updated mitigation information for:
• Modicon Network Option Switch,
• Modicon X80 - I/O Drop Adapters,
• Modicon Quantum 140 CRA,
• Modicon Quantum Head 140 CRP,
• Modicon Quantum Ethernet DIO
network module - 140NOC78x00 (C),
• SCD6000 Industrial RTU, and
• Pro-face HMI -GP4000H/R/E Series
Schneider published an
update for their Andover Continuum System advisory that was originally
published on March 10th, 2020 and most
recently updated on April 14th, 2020. The new information
includes minor updates to overview, vulnerability details, and product
information for clarification.
Schneider published an
update for their Embedded Web Servers for Modicon advisory that was originally
published in November 2018 and most recently updated November 27th,
2019. The new information includes a corrected CVSS vector for CVE-2018-7812.
Schneider published an
update for their Modicon Controllers advisory that was originally
published on May 14th, 2019 and most recently updated on
December 10th, 2019. The new information includes updated fix
version information for CVE-2018-7857.
Schneider published an
update for their Legacy Triconex advisory that was originally
published on April 14th, 2020. Unfortunately, the link on the
Schneider web site takes one to the original version of the advisory.
Siemens Update
Siemens published an update
for their GNU/Linux advisory that was originally
published on November 27th, 2018 and most
recently updated on April 14th, 2020. The new information
includes the addition of the following CVE’s:
• CVE-2019-9674,
• CVE-2019-18348,
• CVE-2019-20636,
• CVE-2020-8492,
• CVE-2020-11565,
• CVE-2020-11655, and
• CVE-2020-11656
Posts
No comments:
Post a Comment