Public ICS Disclosures – Week of 6-6-12

This week we have seven vendor disclosures from Schneider (3), WAGO (2), Moxa and Medtronic as well as four vendor updates for advisories from Schneider (3) and Siemens. There were three researcher reports about vulnerabilities from Siemens.

Schneider Advisories

Schneider published an advisory describing an out-of-bounds write vulnerability in their Modicon M218 Logic Controller. The vulnerability was reported by CNCERT. Schneider provides generic workarounds to mitigate the vulnerability.

Schneider published an advisory describing a use of hard-coded credentials vulnerability in their Unity Loader and OS Loader Software. The vulnerability was reported by Yang Dong of DingXiang Dongjian Security Lab. Schneider provides workarounds to mitigate the vulnerability, noting that: “Hardcoded credentials are kept for compatibility with legacy products.”

Schneider published an advisory describing a null pointer dereference vulnerability in their Modicon LMC078 Logic Controller. This vulnerability is self-reported. Schneider provides generic workarounds to mitigate the vulnerability.

NOTE: This vulnerability is in a third-party (Wind River) component (IGMP) and was introduced in a patch applied to mitigate the Urgent/11 vulnerabilities. This vulnerability should be able to be found in a large number of products. I expect that we will be seeing more of this one.

WAGO Advisories

CERT-VDE published an advisory describing an improper privilege management vulnerability in the WAGO Web Based Management products. This vulnerability was reported by CISCO Talos; the report includes proof-of-concept code. WAGO provides generic workarounds to mitigate this ‘feature’.

CERT-VDE published an advisory describing a classic buffer overflow vulnerability in the WAGO Series PFC100 and Series PFC200 PLC’s. This vulnerability was reported by BSI. WAGO has new firmware that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: This is the third-party (LINUX) PPP daemon vulnerability that has been previously reported in other products.

MOXA Advisory

Moxa has published an advisory describing a command injection vulnerability in their VPort 461 Series Industrial Video Servers. The vulnerability was reported by Xinjie Ma from Beijing Chaitin Future Technology Co. Moxa has a patch for this phased-out product. There is no indication that Xinjie has been provided an opportunity to verify the efficacy of the fix.

Medtronic Advisory

Medtronic has published an advisory describing the Bluetooth Impersonation Attacks (BIAS) vulnerabilities in their FA Controller and  Patient Telemetry Module products. Medtronic has not yet determined what mitigation measures it will take.

NOTE: These vulnerabilities may (probably?) affect any medical device or control system component that uses Bluetooth connectivity.

Schneider Updates

Schneider published an update for their Urgent/11 advisory that was originally published on August 2^nd, 2020 and most recently updated on May 12^th, 2020. The new information includes updated mitigation measures for:

 • Easergy T300 and

• Magelis HMI - HMIGTO Series, HMISCU Series,  HMIGTUX Series, and HMIGTU Series (Except Open BOX) products

Schneider published an update for their EcoStruxure™ Operator Terminal Expert advisory that was originally published on May 12^th, 2020. The new information includes an update of CVE-2020-7495.

Schneider published an update for their GoAhead Web Server Vulnerability that was originally published on December 10^th, 2015. The new information includes:

• A note that proof-of-concept code is publicly available,

• Updated remediation informtation.

NOTE: ICS-CERT (now NCCIC-ICS) published an advisory for this vulnerability, it will be interesting to see if they get around to updating it.

Siemens Update

Siemens published an update for their Urgent/11 advisory that was originally published on May 12^th, 2020. The new information includes updated version data and mitigation measures for Siemens Power Meters Series 9810.

Researcher Reports – Siemens

CISCO Talos published three research reports (here, here and here) describing vulnerabilities in the Seiemens LOGO! Products. The reports each claim CVE# CVE-2020-7589 which was reported by Siemens (and NCCIC-ICS) earlier this week as a single missing authentication for critical function vulnerability. Each Talos report includes separate proof-of-concept code.