Public ICS Disclosures – Week of 2-20-21

This week we have six vendor disclosures from Advantech, Aruba Networks (2), Bosch, Carestream, and VMware. We have researcher a report for products from Secomea (and B&R automation). Finally, there are two remote access exploits for products from ASUS and

Advantech Advisory

Advantech published an advisory discussing the DNSpooq vulnerabilities in their industrial cellular routers. Advantech notes that their routers are only vulnerable to the three ‘cache poisoning’ vulnerabilities. Advantech has new firmware that mitigates the vulnerabilities.

Aruba Advisories

Aruba published an advisory discussing the DNSpooq vulnerabilities in their products. Aruba reports that their products are only vulnerable to the three ‘cache poisoning’ vulnerabilities. Aruba will update the dnsmasq in “future routine maintenance patches”.

 

Aruba published an advisory describing twelve vulnerabilities in their AirWave Management Platform. The vulnerabilities were reported by multiple researchers via the BugCrowd platform. Aruba has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Cross-site request forgery (2) - CVE-2021-29960 and CVE-2021-29961,

• Command injection (2) - CVE-2021-29962 and CVE-2021-29963,

• Improper access control - CVE-2021-29964,

• SQL injection (2) - CVE-2021-29965 and CVE-2021-29966,

• Reflected cross-site scripting - CVE-2021-29967,

• Authenticated stored cross-site scripting - CVE-2021-29968,

• Authenticated XML external entity - CVE-2021-29969, and

• Authenticated remote command injection (2) - (CVE-2021-29970 and CVE-2021-29971

Bosch Advisory

Bosch published an advisory describing three vulnerabilities in their ctrlX CORE and the IoT Gateway. These are third-party (Linux kernel and sudo) vulnerabilities. Bosch reports that the next updates for the affected products would include updates for both the kernel and sudo.

The three reported vulnerabilities are:

• Improper locking and use after free - CVE-2020-29661,

• Out-of-bounds write - CVE-2021-3156 (multiple exploits publicly available), and

• Use after free - CVE-2021-3347 (exploit publicly available)

Carestream Advisory

Carestream published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in a number of their products. This is a third-party (Chrome) vulnerability. Carestream reports that Chrome will be updated with the next software release for most of the affected products. This vulnerability has been exploited in the wild, but not yet in Carestream products.

VMware Advisory

VMware published an advisory describing three vulnerabilities in their VMware ESXi and vCenter Server. The vulnerabilities were reported by Mikhail Klyuchnikov of Positive Technologies, and Lucas Leong via the Zero Day Initiative. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Remote code execution - CVE-2021-21972,

• Heap-based buffer overflow - CVE-2021-21974,

• Server-side request forgery - CVE-2021-21973

Tenable has published a report on the vulnerabilities noting that these vulnerabilities have been exploited in the wild. NebulabdSec has published proof-of-concept code for the RCE vulnerability.

Secomea Report

Tenable published a report (including proof-of-concept code) describing three vulnerabilities in the Secomea GateManager (also applies to B&R GateManager). The report was coordinated with both Secomea and B&R; Secomea has a new version that mitigates the vulnerability. B&R’s response is pending.

The three reported vulnerabilities include:

• Reflected cross-site scripting - CVE-2020-29028,

• Authentication token exposed in URL path - CVE-2020-29030, and

• Authenticated malicious firmware upload - CVE-2020-29029

NOTE: This is likely to be a third-party vulnerability in products from vendors other than B&R.

Remote Access Exploits

H4rk3nz0 published an exploit for a remote code execution vulnerability in the ASUS Remote Link. There is no CVE# listed and no indication that ASUS had been contacted. This may be a 0-day exploit.

MATTHEW DUNN published a Metasploit module for an authentication timing vulnerability for Remote Desktop Web Access. The is no CVE# and no indication that Microsoft has been contacted. This may be a 0-day exploit.