This week we have five vendor disclosures regarding the Amnesia33
vulnerabilities. There were three vendor disclosures for the SUNBURST vulnerability.
There were ten other vendor disclosures for products from ABB (3), Bosch (3),
WAGO, Phoenix Contact (2), and VMware. There was one vendor update from
Mitsubishi. We have seven researcher reports of vulnerabilities in products
from Lantronix (2), Secomea, and Eaton (4).
Amensia33 Advisories
Braun published an
advisory discussing the Amnesia33 vulnerabilities. They report that none of
their ‘connected devices’ is affected.
Drager published an
advisory discussing the Amnesia33 vulnerabilities. They report that their
medical devices are not affected.
HMS published an
advisory discussing the Amnesia33 vulnerabilities. They provide a list of their
products that they have confirmed are not affected.
Johnson and Johnson published an advisory discussing
the Amnesia33 vulnerabilities. They report that they are investigating the potential
impact of the vulnerabilities on their product line.
Spacelabs Healthcare published an advisory discussing the
Amnesia 33 vulnerabilities. They report that none of their products are
affected by the vulnerabilities.
Sunburst Advisories
Drager published an
advisory discussing the SUNBURST vulnerability. They report that their
medical devices are not affected.
Boston Scientific published an
advisory discussing the SUNBURST vulnerability. They report that their
products are not affected.
Philips published an
advisory discussing the SUNBURST vulnerability. They report that they are
monitoring developments.
ABB Advisories
ABB published an advisory [corrected link, 12-19-20 1941 EST] describing five vulnerabilities in their Central Licensing System.
The vulnerabilities were reported by William Knowles at Applied Risk. ABB has
new versions that mitigate the vulnerabilities. There is no indication that
Knowles has been provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Information disclosure - CVE-2020-8481,
• XML external entity injection - CVE-2020-8479,
• Denial of service - CVE-2020-8475,
• Elevation of privilege - CVE-2020-8476,
and
• Weak file permissions - CVE-2020-8471
ABB published an
advisory describing eight vulnerabilities in their Symphony® Plus Historian.
The vulnerabilities are self-reported. ABB has an update that mitigates the
vulnerabilities.
The eight reported vulnerabilities are:
• SQL injection - CVE-2020-24673,
• Improper authorization - CVE-2020-24674,
• Weak authentication - CVE-2020-24675,
• Insecure Windows services - CVE-2020-24676
-,
• Web application security - CVE-2020-24677,
• Privilege escalation - CVE-2020-24678,
• Denial of Service - CVE-2020-24679,
and
• Improper credential storage - CVE-2020-24680
ABB published an
advisory describing nine vulnerabilities in their Symphony® Plus Operations.
The vulnerabilities are self-reported. ABB has an update that mitigates the
vulnerabilities.
The nine reported vulnerabilities are:
• SQL injection - CVE-2020-24673,
• Improper authorization - CVE-2020-24674,
• Weak authentication - CVE-2020-24675,
• Insecure Windows services - CVE-2020-24676
-,
• Web application security - CVE-2020-24677,
• Privilege escalation - CVE-2020-24678,
• Denial of Service - CVE-2020-24679,
• Improper credential storage - CVE-2020-24680,
and
• Authentication bypass - CVE-2020-24683
Bosch Advisories
Bosch published an
advisory describing a null pointer dereference vulnerability in their ctrlX
Products. This is a third-party OpenSSL
vulnerability. Bosch has an update that mitigates the vulnerability.
Bosch published an
advisory describing two vulnerabilities in their Rexroth IndraMotion
Products. Both vulnerabilities are third-party CODESYS vulnerabilities (CVE links
below are to the respective CODESYS advisories). Bosch recommends using their ctrlX
CORE product to mitigate these vulnerabilities.
The two reported vulnerabilities are:
• Uncontrolled memory allocation - CVE-2020-7052
[.PDF download link], and
• Memory Corruption - CVE-2019-5105
[.PDF download link]
NOTE: Proof-of-concept code is available for the CODESYS
vulnerabilities in the respective reports from Tenable and Talos.
Bosch published an
advisory describing six vulnerabilities in their Rexroth PRC7000. These are
third-party CODESYS vulnerabilities (CVE links below are to the respective
CODESYS advisories). Bosch has a new firmware version that mitigates the vulnerabilities.
The six reported vulnerabilities are:
• Memory Corruption - CVE-2019-5105
[.PDF download link] Tenable report,
• Heap-based buffer overflow - CVE-2019-18858
[.PDF download link] Tenable report,
• Unverified ownership - CVE-2019-9010
[.PDF download link] NCCIC-ICS
report,
• Uncontrolled memory allocation - CVE-2019-9012
[.PDF download link] NCCIC-ICS
report,
• Insufficiently protected
credentials - CVE-2019-9013
[.PDF download link] NCCIC-ICS
report, and
• Heap-based buffer overflow - CVE-2020-10245
[.PDF download link] Tenable report.
NOTE: The respective Tenable reports include
proof-of-concept code for he CODESYS vulnerabilities;
WAGO Advisory
VDE-CERT published an advisory
describing an improper neutralization of special elements in an OS command
vulnerability in the WAGO I/O-Check Service. The vulnerability was
reported by Uri Katz of Claroty. WAGO has a new firmware version that
mitigates the vulnerability.
NOTE: The Claroty report includes a Snort rule to detect the
vulnerability.
Phoenix Contact Advisories
Phoenix Contact published an advisory
[.PDF download link] describing a missing initialization of resource
vulnerability in their mGuard products. The vulnerability was reported by SMST
Designers & Constructors. Phoenix Contact has a new firmware version that
mitigates the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.
Phoenix Contact published an
advisory [.PDF download link] describing four vulnerabilities in their PLCnext
Control devices. The vulnerabilities were reported by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul, Melanie Tholen and
Daniel Hackel of SVA Systemvertrieb Alexander GmbH. Phoenix Contact has a new firmware version
that mitigates the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• XSS - CVE-2020-12517,
• Exposure of sensitive information
- CVE-2020-12518,
• Improper privilege management - CVE-2020-12519,
and
• Improper input validation (in the
PROFINET stack) - CVE-2020-12521.
NOTE: There is no indication whether the last vulnerability
is unique to the Phoenix Contact implementation of PROFINET or if it is a
third-party vulnerability.
VMware Advisory
VMware published an
advisory describing an improper input validation vulnerability in their ESXi, Workstation and Fusion products. The
vulnerability was reported by Lucas Leong (@_wmliang_) of the Zero Day
Initiative and Murray McAllister of Insomnia Security. VMware has patches that
mitigate the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.
Mitsubishi Update
Mitsubishi published an update of their Factory Automation
advisory that was originally
published on July 30th, 2020 and most
recently updated on November 5th, 2020. The new information
includes providing mitigation information for GT SoftGOT1000.
NOTE: NCCIC-ICS published their advisory
for this vulnerability and updated it in November.
Lantronix Reports
Talos published two reports (see CVE’s below for links) for
vulnerabilities in the Lantronix XPort EDGE Web Manager. These are coordinated
disclosures. The reports do not mention if the vulnerabilities have been
corrected.
The two reported vulnerabilities are:
• Cleartext transmission of sensitive
information - CVE-2020-13528,
and
• CSRF - CVE-2020-13527
Secomea Report
Tenable published a report
describing two vulnerabilities in the Secomea GateManager. This is a
coordinated disclosure. The Tenable report includes proof-of-concept code.
Tenable does not report that Secomea has produced any mitigation measures.
The two reported vulnerabilities are:
• Cross-site scripting - CVE-2020-29021,
and
• HTTP host header injection - CVE-2020-29022
Tenable notes that these will be third-party vulnerabilities
in products from at least B&R Industrial Automation and perhaps other
vendors as well.
Eaton Reports
The Zero Day Initiative published four reports (see ZDI
numbers for links) from Francis Provencher for vulnerabilities in the Eaton
EASYsoft application. This is a coordinated disclosure but ZDI is reporting these
as zero-day vulnerabilities.
The four reported vulnerabilities are:
• Out-of-bounds read - ZDI-20-1443,
and
• File parsing type confusion (3) -
ZDI-20-1444,
ZDI-20-1442,
and ZDI-20-1441