6 Advisories Published – 10-13-20

Today the CISA NCCIC-ICS published six control system security advisories for products from Siemens (2), Fieldcomm Group, Flexera, LCDS, and Moxa.

SIPORT Advisory

This advisory describes a use of client-side authentication vulnerability in the Siemens SIPORT MP access control system. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an authenticated attacker to impersonate other users of the system and perform (potentially administrative) actions on behalf of those users if the single sign-on feature (“Allow logon without password”) is enabled.

Desigo Advisory

This advisory describes three vulnerabilities in the Siemens Desigo Insight product. The vulnerabilities were reported by Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, and Massimiliano Brolli from TIM Security Red Team Research. Siemens has a ‘hotfix’ available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• SQL injection - CVE-2020-15792,

• Improper restriction of rendered UI layers or frames - CVE-2020-15793, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15794

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to retrieve or modify data and gain access to sensitive information.

Fieldcomm Group Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fieldcom HARP-IP Developer kit. The vulnerability was reported by Reid Wightman from Dragos, Inc. Fieldcomm has a new version for one of the affected products that mitigates the vulnerability. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

Flexera Advisory

This advisory describes an untrusted search path vulnerability in the Flexera InstallShield product. The vulnerability was reported by an anonymous researcher. Flexera will only provide mitigation measures and work arounds to registered owners.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow execution of a malicious DLL.

NOTE: This vulnerability was reported by Flexera in 2016, so why is NCCIC-ICS reporting this now? Both IBM (Tivoli Storage Manager) and Tenable (Nessus Network Monitor) have issued advisories covering this as a third-party vulnerability in 2016 and 2019 respectively. I suspect that there are other vendors that also use InstallShield that may be unaware of the vulnerability or may not have addressed it.

LCDS Advisory

This advisory describes an out-of-bounds read vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

Moxa Advisory

This advisory describes six vulnerabilities in the Moxa NPort IAW5000A-I/O Series integrated serial device server. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has an updated firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation - CVE-2020-25198,

• Improper privilege management - CVE-2020-25194,

Weak password requirements - CVE-2020-25153,

• Cleartext transmission of sensitive information - CVE-2020-25190,

• Improper restriction of excessive authorization attempts - CVE-2020-25196, and

• Exposure of sensitive information to unauthorized actor - CVE-2020-25192

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain access to and hijack a session; allow an attacker with user privileges to perform requests with administrative privileges; allow the use of weak passwords; allow credentials of third-party services to be transmitted in cleartext; allow the use of brute force to bypass authentication on an SSH/Telnet session; or allow access to sensitive information without proper authorization.

NOTE: I briefly described these vulnerabilities back in August. Moxa has updated their advisory to list the CVE numbers assigned by NCCIC-ICS.

Siemens Updates

NCCIC-ICS also published four Siemens updates today. I will cover them in a post tomorrow.