Public ICS Disclosures – Week of 6-27-20

This week we have one new Ripple20 advisory and two updates from vendors. There two additional vendor advisories from Mitsubishi and Phoenix Contact and two researcher disclosures for products from Delta Industrial Automation and Rockwell.

Ripple20 Advisories

Moxa has published an advisory for the Ripple20 vulnerabilities reporting that none of their products are affected.

HMS has published an update for their Ripple20 advisory that was originally published on June 23, 2020. The new information is the addition of Ewon Netbiter 300-series to the list of unaffected products.

Schneider has published an update for their Ripple20 advisory that was originally published on June 23, 2020. The new information includes:

• Revised affected product data for Enhanced Andover Continuum, and

• Added Acti9 Smartlink EL B to the affected product list.

Mitsubishi Advisory

Mitsubishi published an advisory describing six vulnerabilities in the TCP/IP stack for their GOT2000 Series HMI. Mitsubishi reports that these vulnerabilities are in the third-party CoreOS. These vulnerabilities are self-reported.  Mitsubishi has updates that mitigate the vulenrabilities.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5595,

• Session fixation - CVE-2020-5596,

• Null pointer dereference - CVE-2020-5597,

• Improper access control - CVE-2020-5598,

• Argument injection - CVE-2020-5599, and

• Resource management errors - CVE-2020-5600

NOTE: I wonder what other control system products are using the affected CoreOS?

Phoenix Contact Advisory

Phoenix Contact has published an advisory describing two vulnerabilities in their Automation Worx Software Suite. The vulnerabilities were reported by Natnael Samson and mdm via the Zero Day Initiative. Phoenix Contact provides generic mitigation measures pending a new version of the affected products.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-12497, and

• Out-of-bounds read - CVE-2020-12498

Delta Industrial Advisories

The Zero Day Initiative published 13 advisories (ZDI-20-787 thru ZDI-20-799) for two different types of vulnerabilities in the Delta Industrial DOPsoft HMI design software. The vulnerabilities were reported by Natnael Samson. These were coordinated disclosures (via NCCIC-ICS) with an expected fix from Delta Industrial in September. ZDI is reporting these as 0-day vulnerabilities.

The two vulnerability types are:

• Out-of-bounds read, and

• Heap-based buffer overflow

Rockwell Report

Applied Risk published a report describing two vulnerabilities in the Rockwell FactoryTalk Services Platform. Rockwell published their advisory on these vulnerabilities on June 25^th, 2020.