Saturday, June 6, 2020

Public ICS Disclosures – Week of 5-30-20

This week we have three vendor disclosures from Phoenix Contact, PEPPERL+FUCHS and SICK plus an update of a previous vendor disclosure from Johnson Controls.

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing a buffer overflow vulnerability in the Linux Point-to-Point Protocol (PPP) daemon in their FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices. The vulnerability is apparently being self-reported. Phoenix Contact has firmware versions that mitigate the vulnerability.

NOTE: this is the same vulnerability, CVE-2020-8597, reported the week before by Belden.


CERT VDE published an advisory describing two vulnerabilities in the PEPPERL+FUCHS PACTware. The vulnerabilities were reported by Reid Wightman of Dragos, Inc. PEPPERLY+FUCHS has new versions that mitigate the vulnerabilities. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Storing passwords in recoverable format - CVE-2020-9403, and
• Unverified password change - CVE-2020-9404

SICK Advisory

SICK published an advisory describing a profile programming vulnerability in their bar code scanners. The vulnerability was reported by Ruben Santamarta of IOActive. SICK provides a workaround to mitigate the vulnerability.

NOTE: This is another ‘a feature is a vulnerability’ situation. These barcode scanners can be ‘programed’ by the barcodes that they scan. Thus, substituting a malicious bar code can upset the system to which the scanner is attached. The fix is to disable the feature.

Johnson Controls Update

Johnson Controls published an update for an advisory that was originally published on May 21st, 2020 and most recently updated on May 29th, 2020. The new information includes a minor modification to the mitigation instruction for American Dynamics victor Video Management System v5.2 (change “Securely delete the installer log file…” to “Delete the installer log file…”).

The NCCIC-ICS published their advisory on these vulnerabilities (ICSA-20-142-01), but has not yet addressed any of the Johnson Controls updates.

No comments:

/* Use this with templates/template-twocol.html */