Yesterday the CISA NCCIC-ICS published eight control system
security advisories for products from Siemens (5), Tridium, Schneider, and
Yokogawa. There were also 22 updates published but those will be dealt with in
a later blog post.
SICAM Advisory
This advisory
describes a cross-site scripting vulnerability in the Siemens SICAM A8000 RTUs. The vulnerability was
reported by Emma Good from KTH Royal Institute of Technology. Siemens has a new
version that mitigates the vulnerability. There is no indication that Good has
been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit this vulnerability to compromise the confidentiality,
integrity, and availability of the web application.
Automation License Advisory
This advisory
describes an improper authorization vulnerability in the Siemens Automation
License Manager. The vulnerability was reported by Lasse Trolle Borup of Danish
Cyber Defense. Siemens has a new version of ALM6 that mitigates the
vulnerability. There is no indication that Borup has been provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit this vulnerability to allow an attacker to
locally escalate privileges and modify files that should be protected against
writing.
Desigo Advisory
This advisory
describes a code injection vulnerability in the Siemens Desigo CC building
management platform. This vulnerability is self-reported. Siemens has patches available
that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to gain remote
code execution on the server with SYSTEM privileges.
Simatic Advisory
This advisory
describes the kr00k vulnerability
in the Siemens SIMATIC and SIMOTICS wi-fi services. This is a third-party
vulnerability in the Broadcom Wi-Fi client devices with publicly
available exploits. Siemens has provided generic workarounds pending development
of updates.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to read a
discrete set of traffic over the air after a Wi-Fi device state change.
NCCIC-ICS provides no mention of the publicly available exploits.
SCALANCE Advisory
This advisory
describes a classic buffer overflow in the Siemens SCALANCE and RUGGEDCOM
products. This is the Linux Point-to-Point Protocol Daemon (pppd) Vulnerability
reported in March and
proof-of-concept exploit
code is available. Siemens has updates available to mitigate the
vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to gain
unauthenticated access to a device and cause a buffer overflow to execute
custom code. NCCIC-ICS provides no mention of the publicly available exploits.
Tridium Advisory
This advisory
describes a synchronous access of remote resource without timeout vulnerability
in the Tridium Niagara product. The vulnerability was self-reported. Tridium
has updates that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker on
an adjacent network could exploit the vulnerability to result in a
denial-of-service condition.
Schneider Advisory
This advisory
describes two path traversal vulnerabilities in the Schneider APC Easy UPS
On-Line. The vulnerabilities were reported by rgod via the Zero Day Initiative.
Schneider has a new version that mitigates the vulnerability. There is no indication
that rgod has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to lead to remote code execution.
NOTE: Schneider also
published six other advisories yesterday.
Yokogawa Advisory
This advisory
describes two vulnerabilities in the Yokogawa CENTUM distributed control
system. The vulnerabilities were reported by Nataliya Tlyapova, Ivan Kurnakov,
and Positive Technologies. Yokogawa has patches that mitigate the vulnerabilities
for products still under support. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper authentication - CVE-2020-5608,
and
• Path traversal CVE-2020-5609
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a remote unauthenticated
attacker to send tampered communication packets or create/overwrite any file
and run any commands.
NOTE: I briefly
discussed these vulnerabilities on August 1st.
Posts
No comments:
Post a Comment