Public ICS Disclosures – Week of 3-6-21

This week we have seven disclosures from Aruba Networks (2), Boston Scientific, PEPPERL+FUCHS, Siemens, and Schneider (2). We have vendor updates for products from Siemens (2) and Schneider (2). There is a researcher report for products from Fatek Automation. Finally, there was an exploit published for products from VMware.

Aruba Advisories

Aruba published an advisory discussing the SAD DNS vulnerability in their Instant Access Points products. Aruba has new versions that mitigate the vulnerability.

 

Aruba published an advisory describing nineteen vulnerabilities in their Instant Access Points products. Aruba has new versions that mitigate the vulnerabilities.

The 19 reported vulnerabilities are:

• Buffer overflow (3) - CVE-2019-5319, CVE-2021-25144, and CVE-2021-25149,

• Authenticated arbitrary remote command injection - CVE-2021-25150,

• Authenticated arbitrary file write - CVE-2021-25148,

• Unauthenticated command injection via DHCP options - CVE-2020-24636,

• Unauthenticated denial of service via PAPI protocol -CVE-2021-25143,

• Unauthenticated command injection via Web UI - CVE-2021-25162,

• Authenticated arbitrary file write via Web UI (2) - CVE-2021-25155, and CVE-2021-25159,

• Authenticated remote command execution (2) - CVE-2020-24635, and CVE-2021-25146,

• Authentication bypass - CVE-2019-5317 (Jenkins third-party),

• Authenticated reflected cross-site scripting - CVE-2021-25161,

• Unauthenticated arbitrary file read via race condition - CVE-2021-25158,

• Authenticated arbitrary directory create via Web UI - CVE-2021-25156,

• Authenticated arbitrary file read via Web UI - CVE-2021-25157,

• Authenticated arbitrary file write via Web UI to specific backup site - CVE-2021-25160, and

• Remote unauthorized disclosure of information - CVE-2021-25145,

Boston Scientific

Boston Scientific published an advisory discussing the Microsoft TCP/IP vulnerabilities. They report that they are looking into the impact on their products “that use the affected Microsoft Window 7 and higher operating systems”.

PEPPRERL+FUCHS Advisory

CERT-VDE published an advisory describing three vulnerabilities in the PEPPERL+FUCHS P+F RocketLinx products. The vulnerabilities were reported by T. Weber of SEC Consult Vulnerability Lab.  PEPPERL+FUCHS has new firmware versions that mitigate the vulnerabilities. There is no indication that Weber was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site request forgery - CVE-2020-12502,

• Improper input validation - CVE-2020-12503, and

• Hidden functionality - CVE-2020-12504

Siemens Advisory

Siemens published an advisory describing an improper access control vulnerability in their Mendix Forgot Password Appstore module. Siemens has a new version that mitigates the vulnerability.

Schneider Advisories

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their PowerLogic power meters. The vulnerability was reported by Tal Keren and Rei Henigman of Claroty. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their PowerLogic power meters. The vulnerability was reported by Tal Keren and Rei Henigman of Claroty. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: The Claroty report explains the reason for the separate reports for these very similar vulnerabilities. They note that the different product sets are affected differently resulting in very different CVSS v3.0 Base Scores.

Siemens Updates

Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on February 9^th, 2021. The new information includes adding the following CVEs:

• CVE-2020-8625,

• CVE-2021-3347,

• CVE-2021-20193,

• CVE-2021-23839,

• CVE2021-23840,

• CVE-2021-23841, and

• CVE-2021-27212

 

Siemens published an update for their CodeMeter advisory that was originally published in 2018 and most recently updated on February 9^th, 2021. The new information includes updating mitigation measures for:

• SINEC INS, and

• SINEMA Remote Connect

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on January 12^th, 2021. The new information includes:

• Adding mitigation measures for EcoStruxure Building SmartX IP MP Controllers, and

• Updating affected version information for EcoStruxure Building SmartX IP RP Controllers

 

Schneider published an update for their PLC Simulator advisory that was originally reported on November 11^th, 2020. The new information includes announcing the development of a remediation plan for CVE2020-7559.

NOTE: NCCIC-ICS may not update ICSA-20-315-03 for this announcement.

Fatek Report

The Zero Day Initiative published a report of a 0-day improper validation of user supplied data vulnerability in the Fatek PLC WinProladder. According to the report, NCCIC-ICS was supposed to issue an advisory on this last Thursday. I would expect to see it published this coming week.

VMware Exploit

Mikhail Klyuchnikov published a Metasploit module for an improper privilege management vulnerability in the VMware vCenter Server. VMware reported the vulnerability on February 23^rd, 2021 with new versions to mitigate.