Public ICS Disclosures – Week of 12-5-20, Part I

This week we have twelve vendor notification from ABB, HMS, and Cisco (10). There are vendor updates available for products from Mitsubishi and Beckhoff.

ABB Advisory

ABB published an advisory describing a VPN gateway vulnerability inn their Arctic wireless gateways. ABB says that this is a set-up issue and provides additional guidance on proper configuration to mitigate this vulnerability.

HMS Advisory

HMS published an advisory discussing the Amensia33 vulnerabilities. The advisory provides a list of HMS products that are currently known to not be affected by the vulnerabilities.

Cisco Advisories

Cisco published ten advisories for vulnerabilities in their IoT Field Network Director. Each advisory reports on a separate vulnerability in the same product/version. The links for the CVE number are to the individual advisories.

• Cross-site scripting - CVE-2020-26081,

• Improper domain access control - CVE-2020-26080,

• Insufficient input validation - CVE-2020-26075,

• Unprotected storage of credentials - CVE-2020-26079,

• File overwrite - CVE-2020-26078,

• Improper access control - CVE-2020-26077,

• Missing authentication for critical function - CVE-2020-3531 and CVE-2020-3392,

• Information disclosure - CVE-2020-26076, and

• Authorization bypass - CVE-2020-26072,

NOTE: These advisories date back to November 18^th, but I just ran across them today thanks to their listing on the Russian FSTEC web site. No cause for concern there (SIGH).

Mitsubishi Update

Mitsubishi published an update for their MC Works 64 advisory that was originally published on June 18^th, 2020 and most recently updated on September 9^th, 2020. The new information includes adding security patches for MC Works64 Version 3.00A - 3.04E.

NOTE: NCCIC-ICS published an advisory for these vulnerabilities back in June but has not yet updated it for either of the updates that Mitsubishi has published.

Beckhoff Update

Beckhoff published an update for their TwinCAT System Tray advisory that was originally published on November 19^th, 2020. The new information includes a script for re-installing the software in a manner that mitigates the vulnerability.

Part II

As is fast becoming a ‘tradition’ here on the weekend following the second Tuesday of the month, I will publish Part II of this blog post tomorrow, looking at the advisories and updates from Siemens and Schneider that NCCIC-ICS did not address earlier in the week.