Public ICS Disclosures – Week of 7-11-20

This week we have four Ripple20 vendor disclosures from Siemens, ABB, Rockwell, Carestream and Schneider Electric; two SigRed vendor disclosures from Philips and GE Healthcare; and three other vendor disclosures from HMS and Schneider (2). Four vendor updates from Schneider (2) and Siemens (2) and  two researcher disclosures for products from Siemens and Advantech round out the weeks’ offerings.

Ripple20 Disclosures and Updates

Siemens published a Ripple20 advisory for their SPPA-T3000 Solutions distributed control system. Siemens provides generic mitigation measures for these vulnerabilities.

NOTE: Siemens published a note at the top of their Security Publications page noting that:

“No Siemens product is known to use Treck Inc.'s TCP/IP stack, or otherwise be affected by the reported vulnerabilities.

“Note that Siemens products and systems might interact with products from other manufacturers which are affected by the reported vulnerabilities. In such cases Siemens recommends that owners of operational infrastructures verify if these products are affected and evaluate the potential impact of the Ripple20 vulnerabilities.”

Since the SPPA-T3000 advisory also contains two Intel Server Platform Services vulnerabilities, I suspect that the Ripple20 vulnerabilities come with the Intel server upon which the T-3000 is built.

ABB published a Ripple20 advisory. The advisory contains a list of affected products and generic mitigation measures pending further work to address the vulnerabilities.

Rockwell updated their Ripple20 advisory. The new information includes an updated table of affected products.

Carestream updated their Ripple20 advisory (.PDF download link). The new information includes adding 20 products that were on the ‘still evaluating list’ to the not affected list. The list of affected products has not changed.

Schneider updated their Ripple20 advisory. The new information includes removing the “Smartlink ELEC” from the list of affected products.

SigRed Disclosures

SigRed is the ‘cute’ name given to the Microsoft ‘wormable’ remote code execution DNS vulnerability (CVE-2020-1350).

Phillips published a SigRed advisory noting that: “Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options.”

GE Healthcare published a SigRed advisory noting that: “GE Healthcare is actively assessing products that utilize impacted Microsoft Operating Systems.”

Neither of these advisories provide much in the way of information beyond noting that a vague ‘some’ of their products may be affected.

Vendor Disclosures

HMS published an advisory describing a remote code execution vulnerability in their eCatcher product. The vulnerability was reported by Claroty. HMS has an update that mitigates the vulnerability. There is no indication that Claroty was provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an open redirect vulnerability in their Schneider Electric Software Update (SESU). The vulnerability was reported by Amir Preminger of Claroty. Schneider has a new version that mitigates the vulnerability. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two denial of service vulnerabilities in their Floating License

Manager. These are third-party vulnerabilities in the Flexera FlexNet Publisher (reported here and here). Schneider has a new version that mitigates these vulnerabilities.

NOTE: Flexera is also reporting three other vulnerabilities (CVE-2019-8963, CVE-2020-12080, and CVE-2020-12081) that could potentially affect the Schneider Floating License Manager and a variety of other vendor ‘license manager’ products based upon the Flexera product.

Vendor Updates

Schneider updated their ZombieLoad advisory. The new information includes updated mitigation measures for the HMI products.

Schneider updated their BlueKeep advisory. The new information includes updated mitigation measures for the HMI products.

Siemens updated their Vulnerabilities in Intel CPUs advisory. The new information includes:

• Updated mitigation and affected version information for SIMATIC ITP1000, and

• Removed SIMATIC IPC827E from list of affected devices

Siemens updated heir GNU/Linux advisory. The new information includes adding:

CVE-2020-12114,

• CVE-2020-12659,

• CVE-2020-13630,

• CVE-2020-13631, and

• CVE-2020-13632

Researcher Disclosures

Talos published a report on the Siemens LOGO web server vulnerability that was reported earlier this week. The Talos report includes proof-of-concept code for the vulnerability.

The Zero Day Initiative published 43 reports, all based upon research by rgod, about the Advantech iView vulnerabilities that were reported earlier this week. Most of the reports provided more details on the three CVE’s listed in the NCCIC-ICS advisory. One of the reports, however, described an input validation vulnerability that was not reported by NCCIC-ICS.