Thursday, January 21, 2021

5 Advisories Published – 1-21-21

Today CISA’s NCCIC-ICS published five control system security advisories for products from WAGO, Mitsubishi Electric, Honeywell, and Delta Electronics (2).

WAGO Advisory

This advisory describes a deserialization of untrusted data vulnerability in the M&M Software fdtCONTAINER (M&M is subsidiary of WAGO). The vulnerability was reported by Emerson. M&M has a new version that mitigates the vulnerability (but would not be compatible with existing projects). There is no indication that Emerson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low skilled attacker could exploit the vulnerability via a social engineering attack to allow malicious code to be executed without notice.

NCCIC-ICS reports that this vulnerability affects products from Emerson and PEPPERL+FUCHS.

NOTE: I briefly discussed this vulnerability last Saturday, but I was not aware that M&M was a subsidiary of WAGO.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELFA product line. The vulnerability was reported by Qi An Xin Group, Inc. Mitsubishi has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

NOTE: NCCIC-ICS provided an incorrect link for the Mitsubishi advisory (listed as ‘Mitsubishi Electric website’ in this advisory). The link should have been https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-019_en.pdf.

Honeywell Advisory

This advisory describes four vulnerabilities in the Matrikon (a subsidiary of Honeywell) OPC UA Tunneller. The vulnerability was reported by Uri Katz of Claroty. Matrikon has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-27297,

• Out-of-bounds read - CVE-2020-27299,

• Improper check for unusual or exceptional conditions - CVE-2020-27274, and

• Uncontrolled resource3 consumption - CVE-2020-27295

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to disclose sensitive information, remotely execute arbitrary code, or crash the device.

TPEditor Advisory

This advisory describes two vulnerabilities in the Delta TPEditor. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2020-27288, and

• Out-of-bounds write - CVE-2020-27284

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

ISPSoft Advisory

This advisory describes a use after free vulnerability in the Delta ISPSoft PLC program development tool. The vulnerability was reported by Francis Provencher via ZDI. Delta has a new version that mitigates the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

1 comment:

Jake Brodsky said...

FDT and DTM are scary bits of software that have largely escaped notice among most of the OT researchers. Until now.

I think the M&M Software FDT discovery is going to be the first of an avalanche of more discoveries as people discover what the back-end and front-ends of this middleware can do.

This is one of those places where we all hate to admit that Joe Weiss may have been right. If you exploit FDT on an instrument to get it to execute arbitrary code, you can also get it to report incorrect values FROM THE INSTRUMENT.

This is very dangerous because there is very little visibility at this level of most control systems.

 
/* Use this with templates/template-twocol.html */