Saturday, January 16, 2021

Public ICS Disclosure – Week of 1-9-21 – Part 1

This week we have six vendor disclosures from Advantech, PEPPERL+FUCHS, WAGO, Philips, RUCKUS, and Rockwell (2). We have five vendor updates from Carestream, Mitsubishi, Rockwell, Siemens, and Software Toolbox.

Advantech Advisory

Advantech published an advisory describing six vulnerabilities in their Spectre RT ERT351 and

B+B SmartWorx ERT351 products. The vulnerabilities were reported by Vlad Komarov of ScadaX, and Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Advantech has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Improper neutralization of input during web page generation - CVE-2019-18233,

• Cleartext transmission of sensitive information - CVE-2019-18231,

• Improper restriction of excessive authentication attempts - CVE-2019-18235 (Linux vuln),

• Insufficiently protected credentials (no CVE number),

• Usage of broken or risky cryptographic algorithm - CVE-2019-18237,

• Use of vulnerable third-party software - CVE-2019-18239 (OpenSSH and OpenSSL)

PEPPERL+FUCHS Advisory

CERT VDE published an advisory describing a deserialization of untrusted data vulnerability in the PEPPERL+FUCHS PACTware product. This is a third-party (fdtCONTAINER component by M&M Software GmbH) vulnerability. The vulnerability was reported by M&M Software. The vulnerability will be corrected in a version to be released in the second quarter.

WAGO Advisory

CERT VDE published an advisory describing a deserialization of untrusted data vulnerability in unnamed WAGO workstations. This is the same third-party (M&M Software) vulnerability described above.

Philips Advisory

Philips published an advisory describing an undescribed vulnerability on products running on their older Haswell workstations. Philips has a patch that mitigates the vulnerability.

RUCKUS Advisory

RUCKUS published an advisory describing two vulnerabilities in the LLDP module of Ruckus Network’s AP products. These are third-party library vulnerabilities originally reported by Florian Weimer (see links below for original reporting). RUCKUS has patches that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Classic buffer overflow - CVE-2015-8011, and

• Reachable assertion - CVE-2015-8012

Rockwell Advisories

Rockwell published an advisory describing a side-channel leakage vulnerability in the NXP 7x Secure Authentication Microcontrollers. This is a third-party (Google Titan Security Key) vulnerability reported by NinjaLab. Rockwell provides generic mitigation measures.

NOTE: This is going to be an interesting one for a variety of vendors.

 

Rockwell published an advisory describing the third-party (M&M Software) fdtCONTAINER vulnerability described above in their FactoryTalk AssetCentre products. Rockwell has a software update that mitigates the vulnerability.

NOTE: Third-party vulnerabilities strike far and wide (SIGH).

Carestream Update

Carestream published an update [.PDF download link] for their Bad Neighbor advisory that was originally published on October 15th, 2020. The new information includes:

• A list of unaffected products, and

• A list of two affected products (Image Suite and Omni) with mitigation measures.

Mitsubishi Update

Mitsubishi published an update for their MC Works 64 advisory that was originally published on June 18th, 2020 and most recently updated on December 8th, 2020. The new information includes adding mitigation measures for MC Works64 Version 2.00A - 2.02C.

NOTE: NCCIC-ICS published an advisory for these vulnerabilities back in June but has not yet updated it for any of the updates that Mitsubishi has published. This is probably due to a failure by Mitsubishi to inform NCCIC-ICS of the updates.

Rockwell Update

Rockwell published an update for their FactoryTalk Linx advisory that was originally published on December 27th, 2020. The new information includes links to mitigation measures for three of the vulnerabilities.

Siemens Update

Siemens published an out-of-zone update for their SolidEdge advisory that was originally published on January 12th, 2021. The new information includes additional mitigation information for SolidEdge SE2020.

Software Toolbox Update

Software Toolbox published an update for their TopServer advisory that was originally published on December 9th, 2020. The new information includes adding the CVE numbers for the included vulnerabilities.

NOTE: This advisory was included in  ICSA-20-352-02. This update will probably not be mentioned by NCCIC-ICS since the link provided in their advisory takes one to this update.

No comments:

 
/* Use this with templates/template-twocol.html */