Tuesday, February 9, 2021

10 Advisories Published – 2-9-21

Today CISA’s NCCIC-ICS published ten control system security advisories for products from Siemens (8), Advantech, and GE Digital. NCCIC-ICS also published 12 advisory updates for products from Siemens that I will cover in a separate post tomorrow.

DIGSI 4 Advisory

This advisory describes an incorrect default permissions vulnerability in the Siemens DIGSI 4 product. The vulnerability was reported by Rich Davy from ECSC Group. Siemens has newer versions that mitigate the vulnerability. There is no indication that Davy has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a low privileged attacker to execute arbitrary code with SYSTEM privileges.

WinCC Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Siemens WinCC Graphics Designer. The vulnerability was reported by Enrique Murias Fernandez from Tecdesoft Automation. Siemens has an update that mitigates the vulnerability. There is no indication that Fernandez has been provided with an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker unauthenticated access to protected files.

SIMARIS Advisory

This advisory describes an incorrect default permissions vulnerability in the Siemens SIMARIS configuration electrical planning software. The vulnerability was reported by Rich Davy from ECSC Group. Siemens has provided generic workarounds for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain persistence or escalate privileges within the system.

SCALANCE Advisory

This advisory describes an allocation of resources without limits or throttling in the Siemens SCALANCE W780 and W740 family. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition.

JT2Go Advisory

This advisory describes 21 vulnerabilities in the Siemens JT2Go and Teamcenter Visualization products. The vulnerabilities were reported by Michael DePlante (@izobashi), Francis Provencher {PRL}, and rgod via the Zero Day Initiative. Siemens has updates available that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The 21 reported vulnerabilities are:

• Out-of-bounds read (7) - CVE-2020-26998, CVE-2020-26999, CVE-2020-27002, CVE-2020-27004, CVE-2020-27007, CVE-2020-27008, and CVE-2020-28394,

• Improper restriction of operations within the bounds of a memory buffer (3) - CVE-2020-27000, CVE-2020-27006, and CVE-2021-25174,

• Stack-based buffer overflow (3) - CVE-2020-27001, CVE-2020-26989, and CVE-2021-25178,

• Untrusted pointer dereference (3) - CVE-2020-27003, CVE-2020-26991, and CVE-2021-25176,

• Out-of-bounds write - CVE-2020-27005,

• Type confusion (2) - CVE-2020-26990 and CVE-2021-25177,

• Incorrect type conversion or cast - CVE-2021-25175,

• Memory allocation with excessive size value - CVE-2021-25173

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to lead to arbitrary code execution.

TIA Advisory

This advisory describes an improper access control vulnerability in the Siemens TIA Portal and PCS neo products. The vulnerability was reported [link added 2-10-21 08:11 EST] by Will Dormann from CERT Coordination Center. Siemens has an update that mitigates the vulnerability. There is no indication that Dormann has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow local users to escalate privileges and execute code as a local SYSTEM user.

RUGGEDCOM Advisory

This advisory describes six vulnerabilities in the Siemens RUGGEDCOM ROX IIB products. Siemens is self-reporting these vulnerabilities. Siemens has an update that mitigates the vulnerabilities.

• Improper input validation - CVE-2018-12404,

• Null pointer dereference - CVE-2018-18508,

• Out-of-bounds write - CVE-2019-11745,

• Insufficient verification of data authenticity - CVE-2019-17006,

• Improper certificate validation - CVE-2019-17007, and

• Out-of-bounds read - CVE-2020-1763

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow the decryption of encrypted content, possible code execution, or cause a system crash, resulting in a denial-of-service condition.

SINEMA Advisory

This advisory describes a path traversal vulnerability in the Siemens SINEMA Server and SINEC NMS products. The vulnerability was reported by rgod via ZDI. Siemens has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow arbitrary code execution on an affected system.

Advantech Advisory

This advisory describes four vulnerabilities in the Advantech iView device management application. The vulnerability was reported by Anonymous and rgod via ZDI, and William Vu of Rapid7. Advantech has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• SQL injection (2) - CVE-2021-22654 and CVE-2021-22658,

• Path traversal - CVE-2021-22656, and

• Missing authentication for critical function - CVE-2021-22652

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to disclose information, escalate privileges to Administrator, perform an arbitrary file read, and remotely execute commands.

GE Digital Advisory

This advisory describes two incorrect permission assignment for critical resource vulnerability for the GE HMI/SCADA iFIX. The vulnerabilities were reported by William Knowles of Applied Risk. The GE Digital advisory also credits Sharon Brizinov of Claroty for reporting the three undescribed vulnerabilities, only one of which is apparently referenced in the NCCIC-ICS advisory. The Applied Risk advisory lists two vulnerabilities with significantly different CVSS v3 base scores; 7.8 for the Applied Risk advisory and 6.1 for the NCCIC-ICS advisory with minor differences in the vector strings.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to escalate their privileges.

NOTE: I briefly discussed the GE Digital advisory this last weekend.

Other Siemens Advisory

Siemens also published one more advisory today. I will discuss that this weekend.

No comments:

 
/* Use this with templates/template-twocol.html */