Public ICS Disclosures – Week of 8-15-20

This week we have three vendor disclosures for products from Phoenix Contact, Moxa, and Eaton and one update from Rockwell. There are researcher reports for products from WECON. There were two control system exploits published for products from PNPSCADA and Geutebruck.

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing a synchronous access of remote resource without timeout vulnerability in their Emalytics, ILC 2050 BI and ILC 2050 BI-L products. This is a third-party vulnerability in the Tridium Niagara product that was reported earlier this month by NCCIC-ICS. Phoenix Contact reports that they expect to fix this vulnerability in the next firmware update in October 2020.

Moxa Advisory

Moxa published an advisory describing six vulnerabilities in their NPort IAW5000A-I/O Series Serial Device Servers. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation,

• Improper privilege management,

• Weak password requirements,

• Cleartext transmission of sensitive information,

• Improper restriction of excessive authentication attempts, and

• Information exposure

Eaton Advisory

Eaton published an advisory describing two vulnerabilities in their Secure Connect Android Mobile app. The vulnerability was reported by Vishal Bharad. Eaton has a new version that mitigates the vulnerabilities. There is no indication that Bharad has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Information exposure, and

• Information exposure through log files

Rockwell Update

Rockwell published an update for an advisory that was originally published on July 8^th, 2020 and most recently updated on July 23^rd, 2020. The new information includes links to additional detections.

WECON Reports

The Zero Day Initiative has published (ZDI-20-1055 thru ZDI-20-1076) 22 reports of 0-day vulnerabilities in the WECON LeviStudioU. The vulnerabilities have been reported to ‘ICS-CERT’ (presumably CISA NCCIC-ICS) which reportedly received no response from WECON. The vulnerabilities were reported by Natnael Samson. The vulnerabilities are all stack-based buffer overflows in various components of the LeviStudioU product. NO CVEs have been reported.

PNPSCADA Exploit

İsmail ERKEK published an exploit for an SQL injection vulnerability in the PNPSCADA. There is no CVE for this vulnerability and there is no indication that ERKEK has contacted the vendor, so this looks like it is a 0-day vulnerability.

Geutebruck Exploit

Davy Douhine published a Metasploit module for an authenticated arbitrary command execution vulnerability in Geutebruck G-Cam and G-Code cameras. This vulnerability was previously reported by NCCIC-ICS.