Public ICS Disclosures – Week of 6-13-20

This week we have eight vendor disclosures (3 for the Ripple20 vulnerabilities) for products from Beckhoff, Moxa, Medtronic, GE Health, Draeger (2), Rockwell, and BD. There is also a researcher report of a zero-day for products from Inductive Automation.

Ripple20 Advisories

Medtronic published a Ripple20 advisory reporting no impact.

GE Healthcare published a Ripple20 advisory reporting no impact but advising that there may be possible impact to third party components used in combination with GE Healthcare products.

Draeger published a Ripple 20 advisory reporting no impact.

NOTE: “No impact” reports are valuable information. I think the GE nuanced ‘no impact’ report is important where the vendor software may be running on a machine that includes other non-vendor produced software (perhaps including OS?).

Beckhoff Advisory

CERT-VDE published an advisory describing an information leak vulnerability in the Beckhoff TwinCAT RT network driver. The vulnerability is self-reported. Beckhoff has patches that mitigate the vulnerability.

Moxa Advisory

Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDR-G902 Series and EDR-G903 Series Secure Routers. The vulnerability was reported by Tal Keren from Claroty. Moxa has new firmware to mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

Draeger Advisory

Draeger published an advisory describing an improper input validation vulnerability in their Perseus A500 product. The vulnerability is self-reported. Draeger has new software that mitigates the vulnerability.

Rockwell Vulnerability

Rockwell published an advisory describing a path traversal advisory in their FactoryTalk Linx software. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference. Rockwell has a patch that mitigates the vulnerability.

NOTE: Rockwell reports that they had previously disclosed this vulnerability in an advisory that was published on June 11^th, 2020. I suppose that the Pwn2Own announcement could have been included as an update to that advisory. This may be why NCCIC-ICS has not picked up this advisory.

BD Advisory

BD published an advisory describing a remote code execution vulnerability in a number of BD products that use the Microsoft Windows 10®. This is a third-party (MS) SMBv3 server vulnerability. BD is currently working to test and validate the Microsoft patch on the affected products.

Inductive Automation Advisory

The Zero Day Initiative published an advisory describing a deserialization of untrusted data information disclosure vulnerability in the Inductive Automation Ignition product. The vulnerability was reported by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference and reported to the vendor. The vendor has not been able to provide an estimated fix date to either ZDI or NCCIC-ICS. This is effectively a zero-day vulnerability.