6 Advisories and 1 Update Published – 6-2-20

Today the CISA NCCIC-ICS published six control system security advisories for products from ABB (4), GE and SWARCO Traffic Systems. They also updated an advisory for products from Inductive Automation

System 800xA Advisory

This advisory describes two incorrect default permissions vulnerabilities in the ABB System 800xA. The vulnerabilities were reported by William Knowles of Applied Risk. ABB provides generic work arounds to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to escalate privileges, cause system functions to stop, and corrupt user applications.

NOTE: I briefly described these vulnerabilities in early April.

System 800xA Base Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the ABB System 800xA Base. The vulnerabilities were reported by William Knowles of Applied Risk. ABB has a new version that mitigates the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate privileges and cause system functions to stop or malfunction.

NOTE: I briefly described these vulnerabilities in early April and then I discussed the ABB update later that month. The updated version is being reported by NCCIC-ICS.

System 800xA Products Advisory

This advisory describes seven incorrect default permission vulnerabilities in various ABB System 800xA products. The vulnerabilities were reported by William Knowles of Applied Risk. NCCIC-ICS reports that ABB plans to correct these vulnerabilities in a future version.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to make the system node inaccessible or tamper with runtime data in the system.

NOTE: I briefly described these vulnerabilities in early April and then I discussed the ABB update later that month. The updated version is being reported by NCCIC-ICS.

Central Licensing System Advisory

This advisory describes five vulnerabilities in the ABB Central Licensing System. The vulnerabilities were reported by William Knowles of Applied Risk. ABB has new versions that mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Information exposure - CVE-2020-8481,

• Improper restriction of XML external entity reference - CVE-2020-8479,

• Uncontrolled resource consumption - CVE-2020-8475,

• Permissions, privileges and access controls - CVE-2020-8476, and

• Improper access controls - CVE-2020-8471

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to take control of the affected system node remotely and cause an affected CLS Server node to stop or prevent legitimate access to the affected CLS Server.

I briefly reported these vulnerabilities in late April.

GE Advisory

This advisory describes a missing authentication for critical function vulnerability in the GE Grid Solutions Reason RT Clocks. The vulnerability was reported by Ehab Hussein of IOActive. GE has a new firmware version that mitigates the vulnerability. There is no indication that Hussein has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow access to sensitive information, execution of arbitrary code, and cause the device to become unresponsive.

SWARCO Advisory

This advisory describes an improper access control vulnerability in the SWARCO CPU LS4000. The vulnerability was reported by Martin Aman of ProtectEM. SWARCO has a patch that mitigates the vulnerability. There is no indication that Aman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow access to the device and disturb operations with connected devices.

I briefly discussed this vulnerability last Saturday.

Inductive Automation Update

This update provides additional information on an advisory that was originally published on May 26^th, 2020. The new information includes adding Ignition 7 Gateway to the list of affected products and providing mitigation measures for that product.