Tuesday, September 29, 2020

3 Advisories Published – 9-29-20

Today the CISA NCCIC-ICS published three control system security advisories for products from B&R Automation, Yokogawa, and MB Connect.

B&R Advisory

This advisory describes six vulnerabilities in the B&R SiteManager and GateManager products. The vulnerabilities were reported by Nikolay Sokolik and Hay Mizrachi. B&R has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Path traversal - CVE-2020-11641,

• Uncontrolled resource consumption - CVE-2020-11642,

• Information exposure - CVE-2020-11643,

• Improper authentication - CVE-2020-11644,

• Uncontrolled resource consumption - CVE-2020-11645, and

• Information disclosure - CVE-2020-11646

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  allow for arbitrary information disclosure, manipulation, and a denial-of-service condition.

Yokogawa Advisory

This advisory describes a buffer copy without checking size of input vulnerability in the Yokogawa WideField3 PLC programming tool. The vulnerability was reported by Parity Dynamics. Yokogawa has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  terminate the program abnormally.

NOTE: I briefly discussed this vulnerability last Saturday.

MB Connect Advisory

This advisory describes four vulnerabilities in the MB Connect mymbCONNECT24, mbCONNECT24 products. The vulnerabilities were reported by Otorio. MB Connect has newer versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• SQL injection (2) - CVE-2020-24569 and CVE-2020-24568,

• Cross-site request forgery - CVE-2020-24570, and

• Command injection – no CVE has been assigned.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain unauthorized access to arbitrary information or allow remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

No comments:

 
/* Use this with templates/template-twocol.html */