Saturday, November 21, 2020

Public ICS Disclosures – Week of 11-14-20

This week we have six vendor disclosures from Beckhoff, ENDRESS+HAUSER (2), GE Grid (2), and Medtronic. We have one Ripple20 advisory update for products from Eaton. We also have a researcher report on vulnerabilities in products from Schneider. Finally, we have reports of exploits for products from Rockwell and the Netlogon vulnerability in Microsoft products.

Beckhoff Advisory

CERT-VDE published an advisory describing an incorrect default permissions vulnerability in the Beckhoff TwinCAT XAR product. The vulnerability was reported by Ayushman Dutta. Beckhoff has provided installation instructions to mitigate the vulnerability. There is no indication that Dutta has been provided an opportunity to verify the efficacy of the fix.

ENDRESS+HAUSER Advisories

CERT-VDE published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the ENDRESS+HAUSER Ecograph T products. The vulnerability was reported by Maxim Rupp. ENDRESS+HAUSER has provided generic workarounds to mitigate the vulnerability.

CERT-VDE published an advisory describing an improper privilege management vulnerability in the ENDRESS+HAUSER Ecograph T products. The vulnerability was reported by Maxim Rupp. ENDRESS+HAUSER has provided generic workarounds to mitigate the vulnerability.

GE Advisories

GE published an advisory for their Reason RT430/RT434. The advisory is only available to registered customers.

GE published an advisory for their Reason RT431. The advisory is only available to registered customers.

Medtronic Advisory

Medtronic published an advisory discussing the TiYunZong vulnerabilities found in the CT900 Samsung Android tablets used to run their Clinical Programmer Applications. A Chrome browser update is available to mitigate the vulnerabilities.

NOTE: I wonder what other vendors using Android products for access devices could be susceptible to these vulnerabilities?

Eaton Update

Eaton published an update for their Ripple20 advisory that was originally published on June 23rd, 2020 and most recently updated on October 5th, 2020. The new information includes adding the Uninterrupted Power Supply (UPSs) with ModbusMS card to the list of affected products.

Schneider Report

Trustwave published a report describing their research into vulnerabilities in the Schneider EcoStruxure Machine Expert and M221 PLC. The vulnerabilities were reported by Schneider on October 10th, 2020. The report includes proof-of-concept code.

Rockwell Exploit

The Flashback team published a Metasploit module for vulnerabilities in the Rockwell FactoryTalk View SE SCADA product. These vulnerabilities were reported by CISA NCCIC-ICS on June 18th, 2020.

Netlogon Exploit

West Shepherd published a proof-of-concept exploit for the Netlogon vulnerabilities reported by Microsoft.

NOTE: I have not seen this vulnerability reported in control system products, but it has been reported by medical device manufacturers (see for example BD).

No comments:

 
/* Use this with templates/template-twocol.html */