The CISA NCCIC-ICS published three control system security advisories for products from MB connect line, Rockwell Automation and Hitachi ABB Power Grids.
MB Connect Advisory
This advisory describes 18 vulnerabilities in the MB connect line mymbCONNECT24 and mbCONNECT24 remote access products. The vulnerabilities were reported by OTORIO. MB connect has a new version that mitigates most of the vulnerabilities, the remaining vulnerabilities will be fixed in a future release. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The 18 reported vulnerabilities are:
• Improper privilege management (4)
- CVE-2020-12527, CVE-2020-12528, CVE-2020-35557, and CVE-2020-10384,
• Server-side request forgery (3) -
CVE-2020-12529, CVE-2020-35558, and CVE-2020-35561,
• Cross-site scripting (4) - CVE-2020-12530,
CVE-2020-35563, CVE-2020-35564, and CVE-2020-35569,
• Uncontrolled resource consumption
- CVE-2020-35559,
• Open redirect - CVE-2020-35560,
• Insecure default initialization
of resource - CVE-2020-35565,
• PHP remote file inclusion - CVE-2020-35566,
• Use of hard-coded credentials - CVE-2020-35567,
• Exposure of sensitive information
to an unauthorized actor - CVE-2020-35568, and
• Files or directories accessible to external parties - CVE-2020-35570
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain unauthorized access to arbitrary information or allow remote code execution. The OTORIO report lists that same general potential effects with much more vivid language.
NOTE: The OTORIO report refers to ‘more than 20 critical security flaws’, but does not provide a list of the vulnerabilities.
Rockwell Advisory
This advisory describes an improper input validation vulnerability in the Rockwell CompactLogix and ControlLogix controllers. The vulnerability was reported by Yeop Chang. Rockwell has newer firmware that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to send specially crafted CIP packet requests to a controller, which may cause denial-of-service conditions in communications with other products.
Hitachi ABB Advisory
This advisory describes two vulnerabilities in the Hitachi ABB Ellipse Enterprise Asset Management products. The vulnerabilities are self-reported. Hitachi ABB has a new version that mitigates the vulnerabilities.
NOTE: The Hitachi ABB advisory reports that the vulnerability was reported to them by a private individual via a responsible disclosure. There is no indication that the individual was provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Cross-site scripting - CVE-2021-27416,
and
• User interface misrepresentation of critical information - CVE-2021-27414
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to steal
sensitive information, hijack a user’s session, or compromise authentication
credentials.
No comments:
Post a Comment