Today the CISA NCCIC-ICS published 10 control system security advisories for products from Siemens (6), Schneider (2), Mitsubishi, and multiple vendors. They also published a medical device security advisory for products from GE Healthcare.
NOTE: NCCIC-ICS also published 13 updates (according to an email I received from CISA) for previously published advisories. Interestingly the ICS Archive Information Products web page only currently lists 5 updates. In any case, I will address these updates tomorrow.
LOGO! Advisory
This advisory describes eight vulnerabilities in the Siemens LOGO! 8 BM products. The vulnerabilities were reported by Thomas Meesters from cirosec GmbH, as well as Tobias Gebhardt, and Max Bäumler. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The eight reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2020-25228,
• Use of hard-coded cryptographic key
(4) - CVE-2020-25229, CVE-2020-25231, CVE-2020-25233, and CVE-2020-25234,
• Use of a broken or risky
cryptographic algorithm (2) - CVE-2020-25230, and CVE-2020-25232, and
• Insufficiently protected credentials - CVE-2020-25235
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker the ability to make configuration and password changes, capture device keys, access confidential information, and gain full control of the device.
SIMATIC Advisory
This advisory describes an uncaught exception vulnerability in the Siemens SIMATIC Controller Web Servers. The vulnerability is self-reported. Siemens has updates that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition.
TightVNC Advisory
This advisory describes four vulnerabilities in the Siemens SIMATIC products using TightVNC (v1.X), a remote-control software package. TightVNC is an open-source third-party product. The vulnerability was reported by Kaspersky Labs. Siemens has updates for some of the affected products. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• Heap-based buffer overflow (2) - CVE-2019-15678,
and CVE-2019-15679,
• Null pointer dereference - CVE-2019-15680,
and
• Classic buffer overflow - CVE-2019-8287
NOTE: The Kaspersky report identifies vulnerabilities in three other implementations of the VNC protocol; LibVNC, TurboVNC and UltraVNC. Other products (other vendors) with remote access capabilities are going to be affected by these issues. This is going to be a fun one.
SICAM Advisory
This advisory describes a protection mechanism failure vulnerability in the Siemens SICAM A8000 Remote Terminal Unit Series. The vulnerability was reported by Sam Hamra from KTH Royal Institute of Technology. Siemens has a version that mitigates the vulnerability. There is no indication that Hamra has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to gain unauthorized read or write access to network traffic to or from the device.
XHQ Advisory
This advisory describes seven vulnerabilities in the Siemens XHQ Operations Intelligence. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The seven reported vulnerabilities are:
• Exposure of sensitive information
to an unauthorized actor - CVE-2019-19283,
• Cross-site scripting - CVE-2019-19284,
and CVE-2019-19288,
• Basic XSS - CVE-2019-19285,
• SQL injection - CVE-2019-19286,
• Relative path traversal - CVE-2019-19287,
and
• Cross-site request forgery - CVE-2019-19289
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read sensitive information, modify web content, and perform cross-site scripting and cross-site request forgery on unsuspecting users.
Embedded TCP/IP Stack Advisory
This advisory describes an integer overflow vulnerability in the Siemens SENTRON PAC3200, SENTRON PAC4200, SIRIUS 3RW5 products. This is the third-party Amensia33 vulnerability. The vulnerability was reported by Daniel dos Santos, Stanislav Dashevskyi, Jos Wetzels, and Amine Amri of Forescout Research Labs. Siemens has upgrades available for some of the affected products.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to ause a denial-of-service condition.
Modicon Advisory
This advisory describes five vulnerabilities in the Schneider Modicon M221 Programmable Logic Controller. The vulnerabilities were reported by Yehuda Anikster and Rei Henigman of Claroty, and Seok Min Lim and Bryon Kaan of Trustwave. Schneider has provided generic workarounds to mitigate the vulnerabilities.
The five reported vulnerabilities are:
• Inadequate encryption strength - CVE-2020-7565,
• Small space of random values - CVE-2020-7566,
• Missing encryption of sensitive
data - CVE-2020-7567,
• Exposure of sensitive information
- CVE-2020-7568, and
• Use of a one-way hash with a predictable salt - CVE-2020-28214
NCCIC-ICS reports that an uncharacterized attacker on an adjacent network could exploit the vulnerabilities to allow an attacker to take control over the PLC and gain unauthorized access, which could result in exposure of sensitive information.
NOTE 1: I briefly reported on the original Schneider advisory back in November. This NCCIC-ICS advisory is based upon an updated version of that advisory published today that adds the last vulnerability reported above.
NOTE 2: The Trustwave report includes proof-of concept exploit code.
Easergy Advisory
This advisory describes five vulnerabilities in the Schneider Easergy T300. The vulnerabilities were reported by Evgeniy Druzhinin and IIya Karpov of Rostelecom-Solar. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2020-7561,
• Missing authorization - CVE-2020-28215,
• Missing encryption of sensitive
data (2) - CVE-2020-28216, and CVE-2020-28217, and
• Improper restriction of rendered UI layers or frames - CVE-2020-28218
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to obtain unauthorized access to the internal product LAN, which could result in exposure of sensitive information, denial of service, and remote code execution when access to a resource from an attacker is not restricted or incorrectly restricted.
NOTE: I briefly reported on the original Schneider advisory back in November. This NCCIC-ICS advisory is based upon an updated version of that advisory published today that adds the last four vulnerabilities reported above.
NOTE: Schneider also published nine new advisories and three additional updates today. I suspect that I will be addressing these this weekend.
Mitsubishi Advisory
This advisory describes an out-of-bounds read vulnerability in the Mitsubishi GOT and Tension Controller. The vulnerability is self-reported. Mitsubishi is providing generic mitigation measures while it continues to work on a fixed version of the products.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause deterioration of communication performance or cause a denial-of-service condition of the TCP communication functions of the products.
NOTE: I briefly reported on this vulnerability last weekend.
Embedded TCP/IP Stacks Advisory
This advisory discusses the Amnesia33 vulnerabilities that were briefly addressed in the Siemens TCP/IP advisory above. This separate advisory lists 33 distinct vulnerabilities (thus the ‘33’ in the title of the Forescout report) found in the different TCP/IP stack implementations. It also provides a list of vendor advisories for products affected by these vulnerabilities:
• Devolo
• FEIG
• Genetec
• Harting
• Hensoldt
• Nanotec
• NT-Ware
• Siemens
• Uniflow
It is interesting that NCCIC-ICS published a separate advisory for the Siemens version of the vulnerability.
GE Advisory
This advisory describes two vulnerabilities in the GE Imaging and Ultrasound Products. The vulnerabilities were reported by Lior Bar Yosef and Elad Luz of CyberMDX. GE has publicly provided generic workarounds to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Unprotected transport of
credentials - CVE-2020-25175, and
• Exposure of sensitive system information to an unauthorized control sphere - CVE-2020-25179
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to allow an attacker to gain access to
affected devices in a way that is comparable with GE (remote) service user
privileges. A successful exploitation could expose sensitive data such as a
limited set of patient health information (PHI) or could allow the attacker to
run arbitrary code, which might impact the availability of the system and allow
manipulation of PHI.
No comments:
Post a Comment