Public ICS Disclosures – Week of 1-2-21

This week we have six vendor disclosures from Siemens Healthineers, PEPPERL+FUCHS, Johnson and Johnson, Meinberg, Ruckus, and WIBU systems. There is an updated disclosure from HMS. Finally, there is a researcher report on vulnerabilities in products from Rockwell Automation.

Siemens Advisory

Siemens published an advisory describing a third-party (Telerik UI) java script deserialization vulnerability in their syngo.via software. The vulnerability was reported by Ryan Wincey from Securifera and Austin Nuttal. Siemens has patches for some of the affected versions. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: There are exploits available (here and here) for the underlying Telerik vulnerability.

PEPPERL+FUCHS Advisory

CERT VDE published an advisory describing six vulnerabilities in the PEPPERL+FUCHS Comtrol IO-Link Master product. The vulnerabilities were reported by T. Weber of SEC Consult Vulnerability Lab. PEPPERL+FUCHS has new versions that mitigate the vulnerabilities. There is no indication that Weber has been provide an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Cross-site scripting (2) - CVE-2020-12511 and CVE-2020-12512,

• OS Command injection - CVE-2020-12513,

• Null pointer dereference - CVE-2020-12514,

• Out-of-bounds read - CVE-2018-20679, and (CISCO vuln, exploit available)

• Key management errors - CVE-2018-0732 (OpenSSL vuln)

Johnson and Johnson Advisory

Johnson and Johnson published an advisory announcing a new version of the Biosense Webster CARTO® 3 Systems that provides mitigation measures for a number of third-party (Windows OS) vulnerabilities.

Meinberg Advisory

Meinberg published an advisory describing a third-party (OpenSSL) null pointer dereference vulnerability in their LANTIME firmware. This vulnerability is self-reported. Meinberg has new versions that mitigate the vulnerability.

Ruckus Advisory

Ruckus published an advisory describing an arbitrary file read vulnerability in their Access Point products. The vulnerability is self-reported. Ruckus has new firmware versions available that mitigate the vulnerability.

WIBU Systems Advisory

WIBU Systems published an advisory describing three third-party (XStream) vulnerabilities in their AxProtector for Java product. The vulnerabilities are self-reported. They note that the AxProtector for Java is not affected itself by any of these vulnerabilities because a whitelist is used, but they are providing an update that mitigates the XStream vulnerabilities. Exploits are available for all three vulnerabilities at the links below.

The three reported vulnerabilities are:

• Command injection - CVE-2020-26217,

• Server-side request forgery - CVE-2020-26258, and

• OS command injection - CVE-2020-26259

HMS Update

HMS published an update of their Amnesia:33 vulnerabilities advisory that was originally published on December 11^th, 2020. The new information includes adding additional products to the ‘confirmed not affected’ list.

Rockwell Report

Talos published a report describing a denial-of-service vulnerability in the Rockwell RSLinx classic ethernet/IP server. This is a coordinated disclosure, but Rockwell has not yet published an advisory describing this vulnerability. The Talos report contains proof-of-concept code.