Tuesday, March 23, 2021

4 Advisories and 2 Updates Published – 3-23-21

Today the CISA NCCIC-ICS published four control system security advisories for products from Ovarro, GE Grid Solutions (2), and Weintek. They also published two updates for products from Rockwell Automation.

Ovarro Advisory

This advisory describes five vulnerabilities in the Ovarro TBox remote terminal units. The vulnerabilities were reported by Uri Katz of Claroty. Ovarro has new versions that mitigate the vulenrabilities. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Code injection - CVE-2021-22646,

• Incorrect permission assignment for critical resource - CVE-2021-22648,

• Uncontrolled resource consumption - CVE-2021-22642,

• Insufficiently protected credentials - CVE-2021-22640, and

• Use of hard-coded cryptographic key - CVE-2021-22644

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in remote code execution, which may cause a denial-of-service condition.

NOTE: This advisory was originally published on February 23rd, 2021 on the restricted HSIN ICS library. This limited disclosure allows critical infrastructure additional time to implement mitigation measures before the vulnerability becomes public. NCCIC-ICS does not use this limited distribution very often, the last time was on July 21st, 2020 and the time before that was on November 6th, 2018.

Reason DR60 Advisory

This advisory describes three vulnerabilities in the GE Reason DR60 digital fault recorder products. The vulnerabilities were reported by Thales OT Security Team. GE has a firmware update that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded password - CVE-2021-27440,

• Code injection - CVE-2021-27438, and

• Execution with unnecessary privileges - CVE-2021-27454

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  allow an attacker to take full control of the digital fault recorder (DFR), remotely execute code, or escalate privileges.

MU320E Advisory

This advisory describes three vulnerabilities in the GE MU320E product. The vulnerabilities were reported by Tom Westenberg of Thales UK. GE has a new firmware version that mitigates the vulnerabilities. There is no indication that Westenberg has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded password - CVE-2021-27452,

• Execution with unnecessary privileges - CVE-2021-27448, and

• Inadequate encryption strength - CVE-2021-27450

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to escalate unnecessary privileges and use hard-coded credentials to take control of the device.

NOTE: Neither of these advisories appear to address any of the 17 advisories published by GE on March 17th, 2021 that I briefly mentioned Saturday.

Weintek Advisory

This advisory describes three vulnerabilities in the Weintek cMT product. The vulnerabilities were reported by Marcin Dudek from CERT.PL. Weintek has upgrades that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Code injection - CVE-2021-27446,

• Improper access control - CVE-2021-27444, and

• Cross-site scripting - CVE-2021-27442

NCCIC-ICS reports

MicroLogix 1400 Update

This update provides additional information for an advisory that was originally published on February 2nd, 2021. The new information includes:

• Adding the names of the researchers from the Veermata Jijabai Technological Institute that reported the vulnerability, and

• Adding a link to the Rockwell advisory.

CompactLogix 5370 Update

This update provides additional information for an advisory that was originally published on March 2nd, 2021. The new information includes adding a link to the Rockwell Advisory.

No comments:

 
/* Use this with templates/template-twocol.html */