Public ICS Disclosure – Week of 8-8-20

This week we have 9 vendor disclosures for products from Schneider(6), Meinberg, B&R Automation and SICK. There were 7 updated vendor disclosures for products from Schneider (4), Siemens, GE Healthcare and Rockwell.

Schneider Advisories

Schneider published an advisory describing an improper privilege management vulnerability in their Modbus Serial Driver Component. The vulnerability was reported by Nicolas Delhaye of Airbus Cybersecurity. Schneider has a new version that mitigates the vulnerability. There is no indication that Delhaye has been provided an opportunity to verify the efficacy of the fix.

Schneider has published an advisory describing an improper restriction of excessive authentication attempts vulnerability in their spaceLYnk and Wiser for KNX products. The vulnerability was reported by Ismail Tasdelen. Schneider has a new version that mitigates the vulnerability. There is no indication that Tasdelen has been provided an opportunity to verify the efficacy of the fix.

Schneider has published an advisory describing an out-of-bounds write vulnerability in their Modicon M218 Logic Controller product. The vulnerability is self-reported. Schneider has a new firmware version that mitigates the vulnerability.

Schneider has published an advisory describing an improper input validation vulnerability in their PowerChute Business Edition software. The vulnerability was reported by Mateus Riad. Schneider has new versions that mitigate the vulnerability. The is no indication that Riad has been provided an opportunity to verify the efficacy of the fix.

Schneider has published an advisory describing the SweynTooth  Bluetooth vulnerabilities in their Harmony® eXLhoist product. Schneider has a new base station firmware version that mitigates the vulnerability.

Schneider has published an advisory describing an incorrect default permission vulnerability in their SoMove application. The vulnerability was reported by Luis Alvernaz. Schneider has a new version that mitigates the vulnerability. There is no indication that Alvernaz has been provided an opportunity to verify the efficacy of the fix.

Meinberg Advisories

Meinberg published an advisory describing nine vulnerabilities in their LANTIME product including third-party vulnerabilities in ntp (4: Sec 3592, Sec 3596, Sec 3610, and Sec 3661) and OpenSSL (2: CVE-2019-1551 and CVE-2020-1967) services. The vulnerabilities are self-reported. Meinberg has new firmware that mitigates the vulnerabilities.

NOTE: There is publicly available exploit code for one of the OpenSSL vulnerabilities.

B&R Automation Advisory

B&R Automation published an advisory describing a TFTP Service DoS vulnerability in their  Automation Runtime products. The vulnerability is self-reported. B&R has new versions that mitigate the vulnerability.

SICK Advisory

SICK published an advisory describing the Microsoft® SMB/RCE vulnerability in their MEAC central emission monitoring computer (EPC). SICK recommends implementing the appropriate Microsoft patch.

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on July 29^th, 2020. The new information includes updated affected version data and mitigation measures for Uninterruptible Power Supply (UPS) using NMC2.

Schneider published an update for their Vijeo Designer and Vijeo Designer Basic Software advisory that was originally published on May 12^th, 2020. The new information includes updated mitigation measures for Vijeo Designer.

Schneider published an update for their Vijeo Designer and Vijeo Designer Basic that was originally published on April 14^th, 2020 and most recently updated on April 30^th, 2020. The new information includes updated mitigation measures for Vijeo Designer V6.2 SP10.

Schneider published an update for their Modicon Controllers that was originally published on May 14^th, 2019 and most recently updated on May 12^th, 2020. The new information includes:

• Additional fixes available for M580 v3.10

• Quantum & Premium previous fix is not enough to correct the CVE and requires the additional mitigations proposed

Siemens Update

Siemens published an update for their GNU/Linux subsystem advisory that was originally published on November 27^th, 2018 and most recently updated on July 14^th, 2020. The new information includes adding the following CVE’s:

• CVE-2019-19462,

• CVE-2019-20812,

• CVE-2019-20907,

• CVE-2020-0305,

• CVE-2020-10690,

• CVE-2020-10720,

• CVE-2020-10766,

• CVE-2020-10767,

• CVE-2020-10768,

• CVE-2020-12062,

• CVE-2020-12826,

• CVE-2020-13434,

• CVE-2020-13435, and

• CVE-2020-13871

NOTE: At this point it looks like Siemens is just adding new CVE’s to this advisory without providing any information about fixes to the underlying product (SIMATIC S7-1500 CPU).

GE Healthcare Update

GE published an update for their SigRed  advisory that was originally reported on July 16^th, 2020. The new information is a note that GE Healthcare will provide a workaround for affected versions of products  using unsupported versions of Windows Server.

Rockwell Update

Rockwell published an update for their Studio 5000 Logix Designer advisory that was originally published on July 8^th, 2020. The new information includes a new version of the product that mitigates the vulnerability.