2 Advisories and 3 Updates Published – 2-18-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi and Johnson Controls. They also updated three advisories for products from Mitsubishi, Schneider and multiple TCP/IP stack vendors.

Mitsubishi Advisory

This advisory describes two vulnerabilities in the Mitsubishi FA engineering software products. The vulnerabilities were reported by dliangfun. Mitsubishi has new versions that mitigate the vulnerabilities. There is no indication that dliangfun has been provided an opportunity to verify the efficacy.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-20587, and

• Improper handling of length parameter inconsistency - CVE-2021-20588

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  cause a denial-of-service condition.

Johnson Controls Advisory

This advisory describes a path traversal vulnerability in the Johnson Controls Metasys Reporting Engine (MRE) Web Services. The vulnerability was reported by TIM Security Red Team Research. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote unauthenticated attacker to access and download arbitrary files from the system.

Mitsubishi Update

This update provides additional information on an advisory that was originally reported on October 8^th, 2020 and most recently updated on October 29^th, 2020. The new information includes adding updated affected version and mitigation information for R08/16/32/120PCPU.

Schneider Update

This update provides additional information on an advisory that was originally published on January 12^th, 2020. The new information includes adding a link to the Schneider advisory.

Embedded TCP/IP Stacks Update

This update provides additional information on an advisory that was originally published on February 11^th, 2021. The new information includes adding mitigation measures for FNET.