Today the CISA NCCIC-ICS published six control system security advisories for products from Delta Electronics (2), Red Lion, GE, Panasonic and Schneider.
CNCSoft Advisory
This advisory describes a stack-based buffer overflow vulnerability in the Delta CNCSoft ScreenEditor. The vulnerability was reported by Kimiya via the Zero Day Initiative. Delta has an update that mitigates the vulnerability. There is no indication that Kimiya has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.
DOPSoft Advisory
This advisory describes two vulnerabilities in the Delta DOPSoft software. The vulnerability was reported by Kimiya via the Zero Day Initiative. Delta has an update that mitigates the vulnerability. There is no indication that Kimiya has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-27275,
and
• Untrusted pointer dereference - CVE-2020-27277
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.
Red Lion Advisory
This advisory describes three vulnerabilities in the Red Lion Crimson 3.1 programming software. The vulnerabilities were reported by Marco Balduzzi, Ryan Flores, Philippe Lin, Charles Perine, Ryan Flores, Rainer Vosseler via ZDI. Red Lion has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Null pointer dereference - CVE-2020-27279,
• Missing authentication for
critical function - CVE-2020-27285, and
• Improper resource shutdown - CVE-2020-27283
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to create a denial-of-service condition, read and modify the database, and leak memory data.
GE Advisory
This advisory describes two vulnerabilities in the GE Reason RT43X Clocks. The vulnerabilities were reported by Tom Westenberg of Thales UK. GE has a new firmware version that mitigates the vulnerabilities. There is no indication that Westenberg has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Code injection - CVE-2020-25197,
and
• Use of hard-coded cryptographic key - CVE-2020-25193
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an authenticated remote attacker to execute arbitrary code on the system or intercept and decrypt encrypted traffic.
NOTE: I (very) briefly mentioned the GE advisory for these vulnerabilities back in November.
Panasonic Advisory
This advisory describes an out-of-bounds read vulnerability in the Panasonic FPWIN Pro programming software. The vulnerability was reported by Francis Provencher via ZDI. Panasonic has a new version that mitigates the vulnerability. The is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow remote code execution.
Schneider Advisory
This advisory describes three vulnerabilities in the Schneider Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy products. The vulnerabilities were reported (here and here) by Kai Wang of Fortinet's FortiGuard Labs. Schneider continues to work on mitigation measures for supported versions of the affected products.
The three reported vulnerabilities were:
• Out-of-bounds read - CVE-2020-7562,
• Out-of-bounds write - CVE-2020-7563,
and
• Classic buffer overflow - CVE-2020-7564
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow write access and the execution of commands, which could result in data corruption or a web server crash.
NOTE: I briefly described these vulnerabilities back in November.
NCCIC-ICS Updates
NCCIC-ICS also published
five updates today. I will cover them in a separate blog post.
Posts
No comments:
Post a Comment