2 Advisories and 2 Updates Published – 6-30-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Delta Industrial. They also updated two advisories for products from Treck and Inductive Automation.

Mitsubishi Advisory

This advisory describes two vulnerabilities in the Mitsubishi Factory Automation Engineering Software Products. The vulnerabilities are self-reported. Mitsubishi has new versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper restriction of XML external entity reference - CVE-2020-5602, and

• Uncontrolled resource consumption - CVE-2020-5603

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a local attacker to send files outside of the system as well as cause a denial-of-service condition.

NOTE: NCCIC-ICS did not provide a link to the Mitsubishi advisory.

Delta Advisory

This advisory describes two vulnerabilities in the Delta Industrial Automation DOPSoft HMI editing software. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Delta expects to have a new version to mitigate these vulnerabilities available next month (July).

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-10597, and

• Heap-based buffer overflow - CVE-2020-14482

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

Treck Update

This update provides new information on an advisory that was originally published on June 16^th, 2020 and most recently updated on June 18^th, 2020. The new information includes the addition of links to two new affected vendors’ advisories:

• CareStream and

• Eaton

NOTE: I briefly mentioned the Eaton advisory last Saturday.

Inductive Update

This update provides new information on an advisory that was originally published on May 26^th, 2020 and most recently updated on June 2^nd, 2020. The new information includes:

• The addition of a new vulnerability – missing authentication for critical function - CVE-2020-14479, and

• A note that it will be corrected in an expected future version update.

NOTE: There is no mention of the two updates listed above on either the CISA Industrial Control Systems landing page or the associated Recently Published page. Fortunately ICS-CERT (ics-cert@ncas.us-cert.gov) sent out email notifications and TWEETS® on the two updates.