Today the CISA NCCIC-ICS published three control system security advisories for products from Hitachi ABB Power Grids (2) and Johnson Controls. They also published an update for an advisory for products from Rockwell Automation.
eSOMS Telerik Advisory
This advisory describes seven vulnerabilities in the Hitachi ABB eSOMS using Telerik (3rd party) software. The vulnerabilities are self-reported. Hitachi ABB has a new version that mitigates the vulnerabilities.
The seven reported vulnerabilities are:
• Path traversal - CVE-2019-19790,
• Deserialization of untrusted data
- CVE-2019-18935
(2 publicly available exploits, here
and here),
• Improper input validation - CVE-2017-11357
(1 publicly available exploit)
• Inadequate encryption strength - CVE-2017-11317,
• Insufficiently protected
credentials - CVE-2017-9248
(1 publicly available exploit),
• Path traversal - CVE-2014-2217,
and
• Path traversal - CVE-2014-4958
NOTE 1: Links are to the original Telerik advisory or blog post.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.
NOTE 2: Telerik apparently publicly acknowledged these vulnerabilities years ago (almost 7 years in one case). Why is it taking Hitachi ABB so long to address them? I guess the question is, did Telerik directly notify them of the vulnerability or just rely on the publication? I suspect that it was the latter.
eSOMS Advisory
This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in their eSOMS product. The vulnerability is self-reported. Hitachi ABB has new versions that mitigate the vulnerability.
NOTE: The Hitachi ABB advisory says they were notified of the vulnerability “through responsible disclosure”.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain access to unauthorized information.
Johnson Controls Advisory
This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Exacq Technologies (Johnson Controls) exacqVision Web Service. The vulnerability was reported by Milan Kyselica. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kyselica has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.
Rockwell Update
This update provides additional data on an advisory that was originally reported on February 25, 2021. The new information includes:
• Adding FactoryTalk Security to
the list of affected products,
• Rewriting the mitigation section (to include noting that this is not a patchable vulnerability).
NOTE: I briefly
discussed the updated Rockwell advisory back on March 6th, 2021.
Posts
No comments:
Post a Comment