Public ICS Disclosures – Week of 06-20-20

This week we have six Ripple20 [Corrected link, 10-18-20, 0856 EDT] advisories from vendors, one of them an update. There were also four vendor updates from Schneider, Rockwell (2) and Yokogawa. There was a researcher report for products from OSIsoft. There were also four exploits published for products from ABUS, SICK, mySCADA and Inductive Automation.

Ripple20 Advisories and Updates

HMS published a Ripple20 advisory that identifies affected products and generic mitigations.

Eaton published a Ripple20 advisory that identifies affected products and generic mitigations.

Boston Scientific published a Ripple20 advisory that admits that some (unidentified) products have the vulnerabilities but “concluded there is no increased security risk for patients who have our implantable products because of the Treck vulnerabilities”.

Schneider published a Ripple20 advisory that identifies affected products and generic mitigations.

Schneider published a Ripple20 advisory specifically for their network management card products.

Schneider updated their Ripple20 advisory that was originally published on June 16^th, 2020. Refers to the first new advisory described above.

Schneider Update

Schneider published an update of their legacy Triconex advisory that was originally published on April 14^th, 2020. The new information includes adding CVE numbers and descriptions and updated affected version and mitigation data.

NOTE: The revised advisory includes an interesting discussion about why Schneider decided that this update was necessary.

Rockwell Updates

Rockwell published an update for their FactoryTalk Linx Path Traversal advisory that was originally published on June 18^th, 2020. The new information includes a revised list of affected products.

Rockwell published an update for FactoryTalk Linx multiple vulnerability advisory that was originally published on June 11^th, 2020. The new information includes a revised list of affected products.

NOTE: The updated information is the same in both updates. See my note on the path traversal advisory in last week’s blog post.

Yokogawa Update

Yokogawa published an update for their unquoted service path advisory that was originally published on September 27^th, 2019and most recently updated November 1^st, 2019. The new information includes adding three new products to the affected product list and providing mitigation links for those products.

OSIsoft Report

Otorio published a report on a cross-site scripting vulnerability in the OSIsoft PI Web API 2019. The vulnerability was disclosed by OSIsoft on June 11^th, 2020. The report includes a poor-quality video demonstrating an exploit of the vulnerability.

ABUS Exploit

Matthias Deeg published an exploit for a missing encryption of sensitive data vulnerability in the ABUS Secvest Wireless Control Device (FUBE50001). This was reportedly coordinated with ABUS.

SICK Exploit

Aliasrobotics published an exploit for a default credentials vulnerability in the SICK safety PLC. There is no indication that this was reported to SICK, so this is probably a 0-day exploit.

mySCADA Exploit

Emre ÖVÜNÇ published an exploit for a hard-coded credentials vulnerability in the mySCADA myPro HMI. There is no indication that this was reported to mySCADA, so this is probably a 0-day exploit.

Inductive Automation Exploit

Pedro Ribeiro and Radek Domanski published a Metasploit module for a a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product. The vulnerability was disclosed by the vendor on June 2^nd, 2020 and the NCCIC-ICS advisory was subsequently updated on June 11^th, 2020.