3 Advisories and 1 Update Published – 7-2-20

Today the CISA NCCIC-ICS published two control system security advisories for products from ABB and Nortek and a medical device security advisory for products from OpenClinic. They also updated an advisory for products from Johnson Controls.

ABB Advisory

This advisory describes a cross-site scripting vulnerability in the ABB System 800xA Information Manager. The vulnerability was reported by William Knowles of Applied Risk. ABB has versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to inject and execute arbitrary code on the information manager server.

NOTE 1: An interesting process safety note can be found in the ABB Advisory:

“Under certain conditions exploits of this vulnerability may affect the integrity of safety functions in System 800xA. This is however prevented if the Access Enable key in the AC800MHI is turned Off (“disabled”) and Access Level for the variables in the safety applications are configured to ‘Read Only’ or ‘Confirm and Access Enable’”

NOTE 2: I briefly discussed this vulnerability back in April.

Nortek Advisory

This advisory describes five vulnerabilities in the Nortek Linear eMerge 50P/5000P. The vulnerabilities were reported by Gjoko of Applied Risk. Nortek has a new version that mitigates the vulnerabilities. There is no indication that Gjoko has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Path traversal - CVE-2019-7267,

• Command injection - CVE-2019-7269,

• Unrestricted upload of file with dangerous type - CVE-2019-7268,

• Cross-site request forgery - CVE-2019-7270, and

• Improper authentication - CVE-2019-7266

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain full system access.

NOTE 1: The Applied Risk advisory also describes a default credentials vulnerability (CVE-2019-7271) in this product.

NOTE 2: There is at least one publicly available exploit for vulnerabilities described in this advisory.

OpenClinic Advisory

This advisory describes 12 vulnerabilities in the OpenClinic GA, an open-source integrated hospital information management system. The vulnerabilities were reported by Brian D. Hysell. NCCIC-ICS has not received any confirmation of mitigation measures from OpenClinic GA.

The twelve reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2020-14485,

• Improper restriction of excessive authentication attempts - CVE-2020-14484,

• Improper authentication - CVE-2020-14494,

• Missing authorization - CVE-2020-14491,

• Execution with unnecessary privileges - CVE-2020-14493,

• Unrestricted upload of file with dangerous type - CVE-2020-14488,

• Path traversal - CVE-2020-14490,

• Improper authorization - CVE-2020-14486,

• Cross-site scripting - CVE-2020-14492,

• Use of unmaintained third-party components - CVE-2020-14495,

• Insufficiently protected credentials - CVE-2020-14489, and

• Hidden functionality - CVE-2020-14487

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code to remotely exploit these vulnerabilities to allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.

Johnson Controls Update

This update provides additional information on an advisory that was originally published on June 18^th, 2020. The new information includes corrected version information and mitigation measures.

NCCIC-ICS Update Listings

NCCIC-ICS did not list this latest update on either the ‘Industrial Control Systems’ or the ‘ICS-Archive’ pages. Since this has happened on two consecutive disclosure days, it would appear that this is a change in policy. Since they are still (for the time being at least) reporting this updates on their emails and TWEETS®. You can signup for their email alerts at the bottom of the landing page and/or follow their TWEETS @ICS-CERT.