Saturday, February 20, 2021

Public ICS Disclosure – Week of 2-13-21

This week we have nine vendor disclosures from Aruba Networks, PEPPERL+FUCHS (3), Dell, Moxa, Philips, QNAP, and Rockwell. There is an update from Mitsubishi. We have three researcher reports for vulnerabilities in products from Advantech (2) and Sytech. Finally, we have an exploit for a product from DDC.

Aruba Advisory

Aruba published an advisory describing eleven vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Daniel Jensen, Luke Young, Fernando Romero de la Morena, and the Microsoft Security Team. Aruba has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Cross-site scripting - CVE-2021-26678,

• Command injection (5) - CVE-2021-26681, CVE-2021-26679, CVE-2021-26680, CVE-2021-26683, and CVE-2021-26684,

• Local escalation of privilege - CVE-2021-26677,

• SQL injection (2) - CVE-2021-26685 and CVE-2021-26686,

• Reflected cross-site scripting - CVE-2021-26682, and

• Buffer Overflow - CVE-2020-7120

PEPPERL+FUCHS Advisories

CERT-VDE published an advisory describing an out-of-bounds write vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (RTA) EtherNet/IP Stack vulnerability. Generic mitigation measures were described.

 

CERT-VDE published an advisory describing a stack-based buffer overflow vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (Hilscher) PROFINET IO Device vulnerability. Generic mitigation measures were described.

 

CERT-VDE published an advisory describing a stack-based buffer overflow vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (Hilscher) EtherNet/IP stack vulnerability.

Dell Advisory

Dell published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerabilty in their EMC PowerProtect Cyber Recovery product. The vulnerability is self-reported. Dell has a new version that mitigates the vulnerability.

Moxa Advisory

Moxa published an advisory describing a heap-based buffer overflow vulnerability in multiple products. This is a third-party (SUDO) vulnerability. Exploits are publicly available. Moxa has upgrades available to mitigate the vulnerability.

Philips Advisory

Philips published an advisory describing three TCP/IP vulnerabilities in their products running on Microsoft Windows. The three CVE numbers (CVE-2021-24074CVE-2021-24094, and CVE-2021-24086) provided in the advisory are listed as ‘Reserved’ by cve.mitre.org so it is not clear what MS vulnerabilities are specifically being reported, but Philips is reportedly reviewing MS patches.

QNAP Advisory

QNAP published an advisory describing a stack-based overflow vulnerability in their QNAP NAS running Surveillance Station. The vulnerability was reported by an unnamed ‘independent security researcher’. QNAP has new versions that mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Rockwell Advisory

Rockwell published an advisory describing an uncontrolled search path element vulnerability in their DriveTools™ and Drives AOP products. The vulnerability was reported by Cim Stordal of Cognite and Claroty. Rockwell has new versions that mitigate the vulnerability. There are no indications that the researchers have been provided an opportunity to verify the efficacy of the fix.

Mitsubishi Update

Mitsubishi published an update for their TCP protocol stack advisory that was originally published (by NCCIC-ICS) on September 1st, 2020. The new information includes updating affected version and/or adding mitigation measures for:

• MSZ-BT20/25/35/50VGK-E1,

• MSZ-BT20/25/35/50VGK-ET1,

• MSZ-AP25/35/42/50/60/71VGK-E2,

• MSZ-AP25/35/42/50VGK-E7,

• MSZ-AP25/35/42/50VGK-EN2,

• MSZ-AP60/71VGK-ET2,

• MSZ-EF18/22/25/35/42/50VGKW(S)(B)-E1,

• MSZ-EF22/25/35/42/50VGKW(S)(B)-ER1,

• MSZ-EF25VGKB-ET1,

• MSZ-FT25/35/50VGK-E1,

• MSZ-FT25/35/50VGK-ET1,

• MSZ-FT25/35/50VGK-SC1,

• MSZ-EF22/25/35/42/50VGKW(S)(B)-A1, and

• BAC-HD150

NOTE: I expect that NCCIC-ICS will update their advisory in the coming week.

Advantech Reports

Talos published a report describing five incorrect default permission vulnerabilities (CVE-2020-13551, CVE-2020-13552, CVE-2020-13553, CVE-2020-13554, and CVE-2020-13555) in the Advantech WebAccess/SCADA installation. The report includes proof of concept code. The vulnerabilities were disclosed to Advantech in October 2020.

 

Talos published a report describing a path traversal vulnerability in the Advantech WebAccess/SCADA installation. The report includes proof of concept code. The vulnerabilities were disclosed to Advantech in October 2020.

Sytech Report

Talos published a report describing an incorrect default permissions vulnerability in the Sytech XL Reporter. The report includes proof of concept code. The vulnerabilities were disclosed to Sytech in October 2020.

DDC Exploit

Kağan Çapar published an exploit for a buffer overflow vulnerability in the DDC dataSIMS Avionics Bus Analysis & Simulation Software Tool. There is no CVE listed and no indication of notification to DDC. This may be a 0-day exploit.

No comments:

 
/* Use this with templates/template-twocol.html */