Public ICS Disclosures – Week of 3-20-21

This week we have 27 vendor disclosures from BD (3), Bosch, TRUMPF, GE Grid Systems (19), Mitsubishi Electric, Moxa, and Rockwell Automation. We have a researcher report for products from Ovarro. Finally, there were two exploits published for products from VMWare and Advantech.

BD Advisories

BD published patch advisories for the below listed products. These are the 3^rd party patches that have been tested by BD on the listed products.

• BD Care Coordination Engine (CCE),

• Security Patches: BD Pyxis™ Products, and

• Security Patches: BD Alaris™ Systems Manager

Bosch Advisories

Bosch published an advisory describing seven uncontrolled search path element vulnerabilities in multiple Bosch products. The vulnerabilities were reported by Nir Yehoshua, Dhiraj Mishra, and Eli Paz of CyberArk. Bosch has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

TRUMPF Advisory

CERT-VDE published an advisory describing an out-of-bounds write vulnerability in the TRUMPF TruControl laser control software. The vulnerability was reported by Qualys Research Labs. TRUMPF has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

GE Grid Advisories

GE published advisories for the below listed products. These may be updates for previously issued advisories, but only GE customers can access the advisories, so I do not know for sure:

• C30 Controller

• C60 Breaker Management Relay

• C70 Capacitor Bank Protection and Control System

• B30 Bus Differential Relay

• B90 Bus Differential System

• F35 Multiple Feeder Management Relay

• F60 Feeder Management Relay

• G30 Generator Management Relay

• G60 Generator Management Relay

• L30 Line Current Differential Relay

• L60 Line Phase Comparison Relay

• L90 Line Current Differential Relay

• M60 Motor Management Relay

• D30 Line Distance Relay

• D60 Line Distance Relay

• N60 Network Stability and Synchrophasor Measurement System

• T35 Transformer Management Relay

• T60 Transformer Management Relay

• UR Family of Protection Relays

Mitsubishi Advisory

Mitsubishi published an advisory discussing a heap-based buffer overflow vulnerability in a third-party TCP/IP stack (Treck). Mitsubishi is providing generic workarounds to mitigate the vulnerability.

NOTE: Mitsubishi is only reporting one of the four TCP/IP stack vulnerabilities reported by Treck.

Moxa Advisory

Moxa published an advisory describing ten vulnerabilities in their EDR-810 Series Security Routers. The vulnerabilities were reported by the Russian BDU FSTEC. Moxa has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Improper Input Validation - CVE-2014-2284 (Linux ICMP-MIB implementation),

• Resource Management Errors - CVE-2015-1788 (Open SSL),

• Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-10012 (Open SSH),

• Exposure of Sensitive Information to an Unauthorized Actor - CVE-2015-3195 (Open SSL),

• Improper Input Validation - CVE-2016-6515 (open SSH, Exploit),

• Improper Input Validation - CVE-2017-17562 (EmbedThis, Exploit),

• Cryptographic Issues - CVE-2013-0169 (TLS Protocol),

• Permissions, Privileges, and Access Controls - CVE-2013-1813 (BusyBox, Exploit), and

• Numeric Errors - CVE-2010-2156 (ISC DHP, Exploit)

Rockwell Advisory

Rockwell published an advisory discussing eight vulnerabilities in their Stratix Switches. These are third-party (Cisco) vulnerabilities. Rockwell has new versions that mitigate the vulnerability.

The eight reported vulnerabilities are:

• Privilege escalation (2) - CVE-2021-1392 and CVE-2021-1442,

• Cross-site web socket hijacking - CVE-2021-1403,

• Denial of service (3) - CVE-2021-1352, CVE-2021-1220, and CVE-2021- 1356, and

• Command injection (2) - CVE-2021-1452 and CVE-2021-1443,

NOTE: Links above are to the Cisco advisories.l

Ovarro Report

Claroty published a report describing the five vulnerabilities that were reported earlier this week in the Ovarro TBox RTUs.

VMWare Exploit

WVU published a Metasploit module for a remote code execution vulnerability in the VMware View Planner. This vulnerability was previously reported by VMware.

Advantech Exploit

Spencer McIntyre published a Metasploit module for a missing authentication for critical function vulnerability in the Advantech iView. This vulnerability was previously reported by Advantech.