4 Advisories Published – 6-25-20

Today the CISA NCIC-ICS published three control system security advisories for products from Rockwell Automation (2) and ENTTEC. They also published a medical device security advisory for products from Philips.

FactoryTalk Advisory

This advisory describes two vulnerabilities in the Rockwell FactoryTalk View SE. The vulnerabilities were reported by Ilya Karpov and Evgeny Druzhinin of ScadaX Security. Rockwell has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2020-14480, and

• Weak encoding for passwords - CVE-2020-14481

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to unauthorized access to server data.

NOTE: NCCIC-ICS did not publish a link to the Rockwell advisory.

FactoryTalk Services Advisory

This advisory describes an improper restriction of XML external entity reference vulnerability in the Rockwell FactoryTalk Services Platform. The vulnerability was reported by Applied Risk. Rockwell has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to lead to a denial-of-service condition and to the arbitrary reading of any local file via system level services.

NOTE: NCCIC-ICS did not publish a link to the Rockwell advisory.

ENTTEC Advisory

This advisory describes four vulnerabilities in the ENTTEC Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2 lighting control products. The vulnerabilities were reported (report includes proof-of-concept exploit code) by Mark Cross. ENTTEC has not yet offered mitigation measures for these vulnerabilities.

The four reported vulnerabilities are:

• Hard-coded cryptographic key - CVE-2019-12776,

• Cross-site scripting - CVE-2019-12774,

• Improper access control - CVE-2019-12775, and

• Improper permission assignment for critical resource - CVE-2019-12777

NCCIC-ICS reports that a relatively low-skilled attacker with remote access could use publicly available code to remotely exploit the vulnerability to allow an attacker to gain unauthorized SSH/SCP access to devices, inject malicious code, run commands with root privileges, and read, write, and execute files in system directories as any user.

Philips Advisory

This advisory describes an authentication bypass using alternate path or channel vulnerability in the Philips Ultrasound Systems. The vulnerability is self-reported. Philips has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow a non-authenticated attacker to view or modify information. The Phillips advisory reports that it would take a relatively high-skilled attacker with local access to exploit the vulnerability.