Today the CISA NCCIC-ICS published four control system security advisories for products from Schneider Electric, Real Time Automation, Paradox, and Johnson Controls.
Schneider Advisory
This advisory describes nine vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.
The nine reported vulnerabilities are:
• Improper restriction of
operations within the bounds of a memory buffer (4) - CVE-2020-7550, CVE-2020-7551,
CVE-2020-7552, and CVE-2020-7554,
• Out-of-bounds write (4) - CVE-2020-7553,
CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and
• Out-of-bounds read - CVE-2020-7557
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to result in remote code execution.
NOTE: I briefly discussed these vulnerabilities last Saturday.
Real Time Advisory
This advisory describes a stack-based buffer overflow vulnerability in the Real Time Automation (RTA) 499ES EtherNet/IP (ENIP) Adaptor Source Code. The vulnerability was reported by Sharon Brizinov of Claroty. According to the Claroty report, RTA has a version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition, and a buffer overflow may allow remote code execution.
Claroty reports that a number of vendors appear to be using the vulnerable RTA ENIP stack.
Paradox Advisory
This advisory describes two vulnerabilities in the Paradox IP150 internet module. The vulnerabilities were reported by Omri Ben-Bassat of Microsoft. NCCIC-ICS provides an email address to contact Paradox for mitigation information.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2020-25189
(3 separate overflows under this CVE#), and
• Classic buffer overflow -CVE-2020-25185 (9 separate overflows under this CVE#)
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to remotely execute arbitrary code, which may result in the termination of the physical security system.
Johnson Controls Advisory
This advisory describes an improper authorization vulnerability in the Johnson Controls (Sensormatic Electronics) American Dynamics victor Web Client, and Software House C•CURE Web Client. The vulnerability was reported by Joachim Kerschbaumer. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kershcbaumer has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow an unauthenticated attacker on the
network to create and sign their own JSON web token and use it to execute an
HTTP API method without the need for valid authentication/authorization. Under
certain circumstances, this could be used by an attacker to impact system
availability by conducting a denial-of-service attack.
No comments:
Post a Comment