Tuesday, July 7, 2020

2 Advisories and 1 Update Published – 7-7-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi and Grundfos. The also updated an advisory for products from Treck. CISA also started a new control system security initiative.

Mitsubishi Advisory

This advisory describes six vulnerabilities in the Mitsubishi GOT2000. These vulnerabilities are in the third-party CoreOS. The vulnerabilities are self-reported. Mitsubishi provided instructions on how to update the CoreOS version.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5595,
• Session fixation - CVE-2020-5596,
• Null pointer dereference - CVE-2020-5597,
• Improper access control - CVE-2020-5598,
• Argument injection - CVE-2020-5599, and
• Resource management errors - CVE-2020-5600

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to cause a denial-of-service condition or remote code execution.

NOTE 1: I briefly discussed these vulnerabilities last Saturday.

NOTE 2: NCCIC-ICS did not provide a link to the Mitsubishi advisory.

Grundfos Advisory

This advisory describes two vulnerabilities in the Grundfos CIM 500 communications module. The vulnerabilities were reported by Marcin Dudek from CERT.PL. Grundfos has a new firmware version that mitigates the vulnerabilities. There is no indication that Dudek has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-10605, and
• Unprotected storage of credentials - CVE-2020-10609

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow access to cleartext credential data.

Treck Update

This update provides new information on the Ripple20 advisory that was originally published on June 16th, 2020 and most recently updated on June 30th, 2020. The new information includes links to vendor advisories:

Opto22 (includes list of affected products, new firmware pending), and
Smiths Medical (includes list of affected products, update pending),

NOTE: NCCIC-ICS has not yet identified the Moxa advisory that I mentioned Saturday.

Mitsubishi Update

This update provides new information on an advisory that was originally published on June 23rd, 2020. The new information includes:

• Correcting the CVE number to that originally reported by Mitsubishi, and
• Adding a link for contacting Mitsubishi about the vulnerability.

[Added 9:20 EDT, 7-7-20; Missed email (SIGH)]

ICS Security Initiative 

CISA has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. This 11-page document is a high-level analysis of the current ICS security problem and an aspirational look at how CISA plans on dealing with the problems associated with securing the wide swath of security systems involved in the National Critical Functions (NCF) recently defined by CISA. Probably more on this tomorrow.

No comments:

/* Use this with templates/template-twocol.html */