9 Advisories Published – 9-8-20

Today the CISA NCIC-ICS published nine control system security advisories for products from Wibu-Systems and Siemens (8). The Wibu advisory was originally published with restricted access on the HSIN ICS library on July 21^st, 2020. It has been a little over 22 months since NCCIC-ICS last published an advisory on HSIN before releasing it to the general public.

NOTE: NCCIC-ICS also updated seven advisories from Siemens. I will address those in a separate blog post, probably tomorrow.

Wibu-Systems Advisory

This advisory describes six vulnerabilities in the Wibu-Systems CodeMeter. These vulnerabilities were reported by Sharon Brizinov and Tal Keren of Claroty. Wibu has a new version that, along with other specific measures mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Buffer access with incorrect length value - CVE-2020-14509,

• Inadequate encryption strength - CVE-2020-14517,

• Origin validation error - CVE-2020-14519,

• Improper input validation - CVE-2020-14513,

• Improper verification of cryptographic signature - CVE-2020-14515, and

• Improper resource shutdown or release - CVE-2020-16233

NOTE: The CVE links are to the respective Wibu advisory. They apparently publish a separate advisory for each vulnerability. These advisories provide a bit more detail than does the NCCIC-ICS advisory.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.

NOTE: NCCIC-ICS provided links to two vendor advisories for products affected by this vulnerability:

• Siemens, and

• Rockwell

Polarian Advisory

This advisory describes two vulnerabilities in the Siemens Polarion Subversion Webclient. The vulnerabilities were reported by Li Yifan. Siemens considers the product shareware, distributed “as is,” and will be no fix as it is no longer supported.

The two reported vulnerabilities are:

• Basic XSS - CVE-2020-15788, and

• Cross-site request forgery - CVE-2020-15789

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to to induce the victim to issue an HTTP request could lead to a state-changing operation.

Industrial Products Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerabilities in the Siemens Industrial Products. The Siemens advisory notes that this is the third-party (Intel) Crosstalk vulnerability. The vulnerability was reported by Alyssa Milburn, Hany Ragab, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida from the VUSec group. Siemens is working on an update and currently only provides generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit this vulnerability to allow an authenticated user to enable information disclosure via local access.

SIMATIC Advisory #1

This advisory describes two vulnerabilities in the Siemens SIMATIC HMI Products. The vulnerabilities were reported by Joseph Gardiner from Bristol Cyber Security Group. Siemens is working on an update and currently only provides generic workarounds to mitigate the vulnerability.

The two reported vulnerabilities are:

• Improper restriction of excessive authentication attempts - CVE-2020-15786, and

• Authentication bypass by primary weakness - CVE-2020-15787.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.

Siveillance Advisory

This advisory describes a cleartext transmission of sensitive information vulnerability in the Siemens Siveillance Video Client IP video management software. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to obtain valid administrator login names and use this information to launch further attacks.

Spectrum Advisory

This advisory describes two vulnerabilities in the Siemens Spectrum Power products. The vulnerabilities were reported by Can Demirel of Cyberwise. Siemens has updates that mitigate the vulnerabilities. There is no indication that Demirel has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Cleartext storage of sensitive information - CVE-2020-15784, and

• Exposure of information through directory listing - CVE-2020-15790

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an unauthorized attacker to retrieve a list of software users, or in certain cases to list the contents of a directory.

License Management Advisory

This advisory describes an execution with unnecessary privileges vulnerability in the Siemens License Management Utility (LMU). The vulnerability was reported by Bundesamt für Sicherheit in der Informationstechnik (BSI). Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow local users to escalate privileges.

SIMATIC Advisory #2

This advisory describes an insufficiently protected credentials vulnerability in the Siemens SIMATIC S7-300 and S7-400 CPUs. The vulnerability was reported by Hyunguk Yoo from University of New Orleans and Irfan Ahmed and Adeen Ayub from Virginia Commonwealth University. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow credential disclosure.

SIMATIC Advisory #3

This advisory describes three vulnerabilities in the Siemens SIMATIC RTLS Locating Manager. The vulnerabilities were self-reported. Siemens has an update that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2020-10049 and CVE-2020-10050, and

• Unquoted search path or element -CVE-2020-10051

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow a privileged local user to escalate privileges.