Saturday, December 19, 2020

Public ICS Disclosures – Week of 12-12-20

This week we have five vendor disclosures regarding the Amnesia33 vulnerabilities. There were three vendor disclosures for the SUNBURST vulnerability. There were ten other vendor disclosures for products from ABB (3), Bosch (3), WAGO, Phoenix Contact (2), and VMware. There was one vendor update from Mitsubishi. We have seven researcher reports of vulnerabilities in products from Lantronix (2), Secomea, and Eaton (4).

Amensia33 Advisories

Braun published an advisory discussing the Amnesia33 vulnerabilities. They report that none of their ‘connected devices’ is affected.

Drager published an advisory discussing the Amnesia33 vulnerabilities. They report that their medical devices are not affected.

HMS published an advisory discussing the Amnesia33 vulnerabilities. They provide a list of their products that they have confirmed are not affected.

Johnson and Johnson published an advisory discussing the Amnesia33 vulnerabilities. They report that they are investigating the potential impact of the vulnerabilities on their product line.

Spacelabs Healthcare published an advisory discussing the Amnesia 33 vulnerabilities. They report that none of their products are affected by the vulnerabilities.

Sunburst Advisories

Drager published an advisory discussing the SUNBURST vulnerability. They report that their medical devices are not affected.

Boston Scientific published an advisory discussing the SUNBURST vulnerability. They report that their products are not affected.

Philips published an advisory discussing the SUNBURST vulnerability. They report that they are monitoring developments.

ABB Advisories

ABB published an advisory [corrected link, 12-19-20 1941 EST] describing five vulnerabilities in their Central Licensing System. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has new versions that mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Information disclosure - CVE-2020-8481,

• XML external entity injection - CVE-2020-8479,

• Denial of service - CVE-2020-8475,

• Elevation of privilege - CVE-2020-8476, and

• Weak file permissions - CVE-2020-8471

 

ABB published an advisory describing eight vulnerabilities in their Symphony® Plus Historian. The vulnerabilities are self-reported. ABB has an update that mitigates the vulnerabilities.

The eight reported vulnerabilities are:

• SQL injection - CVE-2020-24673,

• Improper authorization - CVE-2020-24674,

• Weak authentication - CVE-2020-24675,

• Insecure Windows services - CVE-2020-24676 -,

• Web application security - CVE-2020-24677,

• Privilege escalation - CVE-2020-24678,

• Denial of Service - CVE-2020-24679, and

• Improper credential storage - CVE-2020-24680

 

ABB published an advisory describing nine vulnerabilities in their Symphony® Plus Operations. The vulnerabilities are self-reported. ABB has an update that mitigates the vulnerabilities.

The nine reported vulnerabilities are:

• SQL injection - CVE-2020-24673,

• Improper authorization - CVE-2020-24674,

• Weak authentication - CVE-2020-24675,

• Insecure Windows services - CVE-2020-24676 -,

• Web application security - CVE-2020-24677,

• Privilege escalation - CVE-2020-24678,

• Denial of Service - CVE-2020-24679,

• Improper credential storage - CVE-2020-24680, and

• Authentication bypass - CVE-2020-24683

Bosch Advisories

Bosch published an advisory describing a null pointer dereference vulnerability in their ctrlX Products. This is a third-party OpenSSL vulnerability. Bosch has an update that mitigates the vulnerability.

 

Bosch published an advisory describing two vulnerabilities in their Rexroth IndraMotion Products. Both vulnerabilities are third-party CODESYS vulnerabilities (CVE links below are to the respective CODESYS advisories). Bosch recommends using their ctrlX CORE product to mitigate these vulnerabilities.

The two reported vulnerabilities are:

• Uncontrolled memory allocation - CVE-2020-7052 [.PDF download link], and

• Memory Corruption - CVE-2019-5105 [.PDF download link]

NOTE: Proof-of-concept code is available for the CODESYS vulnerabilities in the respective reports from Tenable and Talos.

 

Bosch published an advisory describing six vulnerabilities in their Rexroth PRC7000. These are third-party CODESYS vulnerabilities (CVE links below are to the respective CODESYS advisories). Bosch has a new firmware version that mitigates the vulnerabilities.

The six reported vulnerabilities are:

• Memory Corruption - CVE-2019-5105 [.PDF download link] Tenable report,

• Heap-based buffer overflow - CVE-2019-18858 [.PDF download link] Tenable report,

• Unverified ownership - CVE-2019-9010 [.PDF download link] NCCIC-ICS report,

• Uncontrolled memory allocation - CVE-2019-9012 [.PDF download link] NCCIC-ICS report,

• Insufficiently protected credentials - CVE-2019-9013 [.PDF download link] NCCIC-ICS report, and

• Heap-based buffer overflow - CVE-2020-10245 [.PDF download link] Tenable report.

NOTE: The respective Tenable reports include proof-of-concept code for he CODESYS vulnerabilities;

WAGO Advisory

VDE-CERT published an advisory describing an improper neutralization of special elements in an OS command vulnerability in the WAGO I/O-Check Service. The vulnerability was reported by Uri Katz of Claroty. WAGO has a new firmware version that mitigates the vulnerability.

NOTE: The Claroty report includes a Snort rule to detect the vulnerability.

Phoenix Contact Advisories

Phoenix Contact published an advisory [.PDF download link] describing a missing initialization of resource vulnerability in their mGuard products. The vulnerability was reported by SMST Designers & Constructors. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Phoenix Contact published an advisory [.PDF download link] describing four vulnerabilities in their PLCnext Control devices. The vulnerabilities were reported by Patrick Muench, Torsten Loebner, Maurice Rothe, Pascal Keul, Melanie Tholen and Daniel Hackel of SVA Systemvertrieb Alexander GmbH. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• XSS - CVE-2020-12517,

• Exposure of sensitive information - CVE-2020-12518,

• Improper privilege management - CVE-2020-12519, and

• Improper input validation (in the PROFINET stack) - CVE-2020-12521.

NOTE: There is no indication whether the last vulnerability is unique to the Phoenix Contact implementation of PROFINET or if it is a third-party vulnerability.

VMware Advisory

VMware published an advisory describing an improper input validation vulnerability in their  ESXi, Workstation and Fusion products. The vulnerability was reported by Lucas Leong (@_wmliang_) of the Zero Day Initiative and Murray McAllister of Insomnia Security. VMware has patches that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Mitsubishi Update

Mitsubishi published an update of their Factory Automation advisory that was  originally published on July 30th, 2020 and most recently updated on November 5th, 2020. The new information includes providing mitigation information for GT SoftGOT1000.

NOTE: NCCIC-ICS published their advisory for this vulnerability and updated it in November.

Lantronix Reports

Talos published two reports (see CVE’s below for links) for vulnerabilities in the Lantronix XPort EDGE Web Manager. These are coordinated disclosures. The reports do not mention if the vulnerabilities have been corrected.

The two reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2020-13528, and

• CSRF - CVE-2020-13527

Secomea Report

Tenable published a report describing two vulnerabilities in the Secomea GateManager. This is a coordinated disclosure. The Tenable report includes proof-of-concept code. Tenable does not report that Secomea has produced any mitigation measures.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-29021, and

• HTTP host header injection - CVE-2020-29022

Tenable notes that these will be third-party vulnerabilities in products from at least B&R Industrial Automation and perhaps other vendors as well.

Eaton Reports

The Zero Day Initiative published four reports (see ZDI numbers for links) from Francis Provencher for vulnerabilities in the Eaton EASYsoft application. This is a coordinated disclosure but ZDI is reporting these as zero-day vulnerabilities.

The four reported vulnerabilities are:

• Out-of-bounds read - ZDI-20-1443, and

• File parsing type confusion (3) - ZDI-20-1444, ZDI-20-1442, and ZDI-20-1441

No comments:

 
/* Use this with templates/template-twocol.html */