Today the CISA NCCIC-ICS published two control system security
advisories for products from Mitsubishi and Grundfos. The also updated an
advisory for products from Treck. CISA also started a new control system
security initiative.
Mitsubishi Advisory
This advisory
describes six vulnerabilities in the Mitsubishi GOT2000. These vulnerabilities
are in the third-party CoreOS. The vulnerabilities are self-reported.
Mitsubishi provided instructions on how to update the CoreOS version.
The six reported vulnerabilities are:
• Improper restriction of
operations within the bounds of a memory buffer - CVE-2020-5595,
• Session fixation - CVE-2020-5596,
• Null pointer dereference - CVE-2020-5597,
• Improper access control - CVE-2020-5598,
• Argument injection - CVE-2020-5599,
and
• Resource management errors - CVE-2020-5600
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow a remote attacker to
cause a denial-of-service condition or remote code execution.
NOTE 1: I briefly
discussed these vulnerabilities last Saturday.
NOTE 2: NCCIC-ICS did not provide a link to the Mitsubishi
advisory.
Grundfos Advisory
This advisory
describes two vulnerabilities in the Grundfos CIM 500 communications module.
The vulnerabilities were reported by Marcin Dudek from CERT.PL. Grundfos has a
new firmware version that mitigates the vulnerabilities. There is no indication
that Dudek has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2020-10605, and
• Unprotected storage of
credentials - CVE-2020-10609
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow access to cleartext
credential data.
Treck Update
This update
provides new information on the Ripple20 advisory that
was originally
published on June 16th, 2020 and most
recently updated on June 30th, 2020. The new information
includes links to vendor advisories:
• Opto22
(includes list of affected products, new firmware pending), and
• Smiths
Medical (includes list of affected products, update pending),
NOTE: NCCIC-ICS has not yet identified the Moxa advisory
that I
mentioned Saturday.
Mitsubishi Update
This update
provides new information on an advisory that was originally
published on June 23rd, 2020. The new information includes:
• Correcting the CVE number to that
originally
reported by Mitsubishi, and
• Adding a link for contacting Mitsubishi
about the vulnerability.
[Added 9:20 EDT, 7-7-20; Missed email (SIGH)]
ICS Security Initiative
CISA has
released its five-year industrial control systems (ICS) strategy: Securing
Industrial Control Systems: A Unified Initiative. This 11-page document is a
high-level analysis of the current ICS security problem and an aspirational
look at how CISA plans on dealing with the problems associated with securing
the wide swath of security systems involved in the National Critical
Functions (NCF) recently defined by CISA. Probably more on this tomorrow.
Posts
No comments:
Post a Comment