This week we have eight vendor disclosures for products from
Schneider (7) and Thales Group. We also have nine updates for advisories for
products from Schneider (5), Siemens (2), Carestream and Rockwell.
Schneider Advisories
Schneider published an
advisory describing three vulnerabilities in the web servers of their Modicon
M340, Modicon Quantum and Modicon Premium Legacy products. The vulnerabilities
were reported (here
and here) by Kai
Wang of Fortinet's FortiGuard Labs. Schneider is working on mitigation measures
for those affected products that are not end-of-life.
The three reported vulnerabilities are:
• Out-of-bounds read - CVE-2020-7562,
• Out-of-bounds write - CVE-2020-7563,
and
• Classic buffer overflow - CVE-2020-7564
Schneider published an
advisory describing an improper privilege management vulnerability in their
EcoStruxure™ Operator Terminal Expert runtime (Vijeo XD). The vulnerability was
reported by Lasse Trolle Borup of Danish Cyber Defence. Schneider has a service
pack that mitigates the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
Schneider published an
advisory describing nine vulnerabilities in their Interactive Graphical
SCADA System (IGSS) product. The vulnerabilities were reported by kimiya via
the Zero Day Initiative. Schneider has a new version that mitigates the
vulnerabilities. There is no indication that kimiya has been provided an opportunity
to verify the efficacy of the fix.
The nine reported vulnerabilities are:
• Improper restriction of
operations within the bounds of a memory buffer (4) – CVE-2020-7550, CVE-2020-7551,
CVE-2020-7552, and CVE-2020-7554,
• Out-of-bounds write (4) - CVE-2020-7553,
CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and
• Out-of-bounds read - CVE-2020-7557
Schneider published an
advisory describing seven vulnerabilities in their EcoStruxure Building
Operation (EBO) product offerings. The vulnerabilities were reported by Luis
Vázquez, Francisco Palma, and Diego León of Zerolynx, and Alessandro Bosco,
Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli of TIM Security Red Team
Research. Schneider has a version that mitigates the vulenrabilities. There is
no indication that the researchers have been provided an opportunity to verify
the efficacy of the fix.
The seven reported vulnerabilities are:
• Unrestricted upload of file with
dangerous type - CVE-2020-7569,
• Cross-site scripting stored - CVE-2020-7570,
• Cross-site scripting reflected - CVE-2020-7571,
• Improper restriction of XML
external entity reference - CVE-2020-7572,
• Improper access control - CVE-2020-7573,
• Windows unquoted search path - CVE-2020-28209,
and
• Cross-site scripting - CVE-2020-28210
Schneider published an
advisory describing four vulnerabilities in their Modicon M221 product. The
vulnerabilities were reported by Yehuda Anikster and Rei Henigman of Claroty,
and Seok Min Lim and Bryon Kaan of Trustwave (here).
Schneider provides generic work arounds to mitigate the vulnerabilities.
The four reported vulnerabilities are:
• Inadequate encryption strength - CVE-2020-7565,
• Small space of random values - CVE-2020-7566,
• Missing encryption of sensitive
data - CVE-2020-7567, and
• Exposure of sensitive data to an
unauthorized actor - CVE-2020-7568
NOTE: The Trustwave report contains proof-of-concept code.
Schneider published an
advisory describing an improper access control vulnerability in their Easergy
T300 remote terminal unit. The vulnerability was reported by Evgeniy Druzhinin
and Ilya Karpov of Rostelecom-Solar. Schneider has a new version that mitigates
the vulnerability. There is no indication that the researchers have been
provided an opportunity to verify the efficacy of the fix.
Schneider published an
advisory discussing the Drovorub
malware and its impact on their Q Data Radio and J Data Radio devices.
Schneider is providing generic workarounds pending further work on mitigating
the vulnerabilities.
Thales Advisory
Thales Group published an
advisory for their Sentinel RMS License Manager. The advisory is only
available to registered customers. We should expect to see various vendors incorporating
the fix for this in their affected products.
Schneider Updates
Schneider published an
update for their Ripple20 advisory.
The new information includes adding mitigation measures for:
• eIFE Ethernet Interface for
MasterPact MTZ drawout circuit breakers,
• IFE Ethernet Interface for
ComPact, PowerPact, and MasterPact circuit breakers, and
• IFE Gateway
Schneider published an
update for their EcoStruxure advisory that was originally
published on May 12th, 2020 and most
recently updated on June 9th, 2020. The new information includes
adding mitigation measures for CVE-2020-7495 & CVE-2020-7497.
Schneider published an
update for their Modicon M218/M241/M251/M258 Logic Controllers advisory
that was originally
published on April 14th, 2020. The new information includes adding
mitigation measures for M258.
Schneider published an
update for their Modicon Controllers advisory that was originally
published on March 20th, 2020. The new information includes
adding mitigation information for CVE-2020-7475.
Schneider published an
update for their Modicon M580 controller advisory that was originally
published on October 8th, 2019. The new information includes
adding mitigation information for CVE-2019-6848 and CVE-2019-6849.
Siemens Updates
Siemens published an update
for their CodeMeter advisory.
The new information includes adding SICAM 230 to the list of affected versions including
mitigation measures.
Siemens published an update
for their GNU/Linux advisory that was originally
published in 2018 and most
recently updated on October 13th, 2020. The new information
includes adding:
• CVE-2020-10769,
• CVE-2020-14314,
• CVE-2020-25211, and
• CVE-2020-25641
Carestream Update
Carestream published an
update [.PDF download link] for their Bad
Neighbor advisory. The new information includes lists of affected and
unaffected products.
Rockwell Update
Rockwell published an update for their Urgent/11 advisory. The new information
includes mitigation measures for ControlLogix 5580 and CompactLogix products.