3 Advisories and 5 Updates Published – 6-23-20

Yesterday the CISA NCCIC-ICS published three control system security advisories for products from ABB, Honeywell and Mitsubishi Electric. They updated five medical device security advisories for products from BD and Baxter (4).

ABB Advisory

This advisory describes an insecure storage of sensitive information vulnerability in the ABB Device Library Wizard. The vulnerability was reported by William Knowles of Applied Risk. ABB has new versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to  allow a low-level user to escalate privileges and fully compromise the device.

Honeywell Advisory

This advisory describes two cleartext transmission of sensitive information vulnerabilities in the Honeywell ControlEdge PLC and RTU. The vulnerabilities were reported by Nikolay Sklyarenko of Kaspersky. Honeywell provides a document (login required) describing the mitigation measures for these vulnerabilities. There is no indication that Sklyarenko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain passwords and session tokens.

Mitsubishi Advisory

This advisory describes a cleartext transmission of sensitive information vulnerability in the Mitsubishi MELSEC CPU modules. The vulnerability was reported by Shunkai Zhu, Rongkuan Ma and Peng Cheng from NESC Lab. Mitsubishi provides generic mitigation measure.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow information disclosure, information tampering, unauthorized operation, or a denial-of-service condition.

NOTE: NCCIC-ICS did not publish the link to the Mitsubishi advisory.

BD Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the BD advisory.

Sigma Spectrum Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

Phoenix Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

PrismaFlex Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisories (PrismaFlex and PrisMax).

ExactaMix Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.