Public ICS Disclosures – Week of 1-23-21

This week we have nine vendor disclosures from Bosch, ZIV Automation (2), Emerson, GE Healthcare, Johnson Controls, Rockwell (2), and Siemens.

Bosch Advisory

Bosch published an advisory describing a stack-based buffer overflow vulnerability in their Rexroth ID 200/C-ETH using EtherNet/IP Protocol. This is a third-party (Real Time Automation) vulnerability. Bosch provides generic mitigation measures.

ZIV Automation Advisories

Incibe-CERT published an advisory describing an uncontrolled resource consumption vulnerability in the ZIV 4CCT Smart Metering Data Concentrator. The vulnerability was reported by Aarón Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability. There is no indication that Menendez has been provided an opportunity to verify the efficacy of the fix.

 

Incibe-CERT published an advisory describing an improper authentication vulnerability in the ZIV 4CCT Smart Metering Data Concentrator. The vulnerability was reported by Aarón Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability. There is no indication that Menendez has been provided an opportunity to verify the efficacy of the fix.

Emerson Advisory

Emerson published an advisory describing the fdtCONTAINER vulnerability in their Rosemont Transmitter Interface Software. Emerson no longer supports that software.

NOTE: This Emerson impact was previously reported by NCCIC-ICS.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing undisclosed vulnerabilities in the VC150 Vital Signs Monitor that they distribute. The Innokas Medical web site simply notes in their software update note for the VC150 that it contains “Cybersecurity enhancements and bug fixes”. GE Healthcare has made the updated software available.

Johnson Controls

Johnson Controls has published an advisory discussing four vulnerabilities in their Sur-Gard System 5 receivers. They are third-party (Treck) vulnerabilities. Johnson Controls has a new version that mitigates the vulnerabilities.

NOTE: This advisory does not specifically name the four vulnerabilities identified by Treck and NCCIC-ICS, it just provides the CVE numbers; CVE-2020-25066,  CVE-2020-27336, CVE-2020-27337, and  CVE-2020-27338.

Rockwell Advisories

Rockwell published an advisory describing the fdtCONTAINER vulnerability in their FactoryTalk AssetCentre. Rockwell has a new version that mitigates the vulnerability.

 

Rockwell published an advisory describing a buffer overflow vulnerability in their MicroLogix 1400 Controller. The vulnerability was reported by Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS. Rockwell provides generic mitigation measures

Siemens Advisory

Siemens published an advisory describing a missing authentication for critical function vulnerability in their SIMATIC HMI Panels. The vulnerability was reported by the Zero Day Initiative. Siemens has new versions that mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The advisory acknowledges the coordination efforts of CISA, so it is likely that NCCIC-ICS will publish an advisory on this vulnerability next week.