Today CISA’s NCCIC-ICS published 15 control systems security advisories for products Siemens (12), JTEKT, Advantech, and Schneider Electric. One of the Siemens advisories also affects products from Milestone and another also affects products from PKE.
Milestone Advisory
This advisory describes a use of hard-coded cryptographic key in the Siemens Siveillance (Milestone) Video Open Network Bridge (ONVIF). The vulnerability was reported by Milestone PSIRT. Siemens has a hot fix and Milestone has an update to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server.
Nucleus Advisory #1
This advisory describes a use of insufficiently random variables vulnerability in the Siemens Nucleus DNS module. This is one of the NAME:WRECK DNS vulnerabilities reported by Forescout and JSOF. Siemens has generic workarounds to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to poison the DNS cache or spoof DNS resolving.
SIMOTICS Advisory
This advisory describes four vulnerabilities in the Siemens SIMOTICS CONNECT 400. The vulnerabilities were self-reported. These are NAME:WRECK vulnerabilities in the third-party Mentor DNS Module. Siemens has a new version that mitigates the vulnerabilities.
The four reported vulnerabilities are:
• Improper null termination - CVE-2020-27736,
• Out-of-bounds read - CVE-2020-27737,
and
• Access of memory location after end of buffer - CVE-2020-27738 and CVE-2021-25677
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to poison the DNS cache or spoof DNS resolving.
Tecnomatix Advisory
This advisory describes an out-of-bounds write in the Siemens Tecnomatix RobotExpert. The vulnerability was reported by Francis Provencher via the Zero Day Initiative. Siemens has a new version that mitigates the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.
TIM Advisory
This advisory describes 14 vulnerabilities in the Siemens TIM 4R-IE. This is a third-party vulnerability (ntp.d in SNTP). The vulnerabilities are self-reported.
The 14 reported vulnerabilities are:
• Incorrect type conversion or cast
- CVE-2015-5219,
• Improper input validation (4) - CVE-2015-7855 (exploit), CVE-2015-7705, CVE-2015-8138,
and CVE-2016-1547,
• Improper authentication (2) - CVE-2015-7871 and CVE-2016-4953
• Security features - CVE-2015-7973,
• Null pointer dereference - CVE-2015-7977,
• Data processing errors (2) - CVE-2015-7979
and CVE-2016-1548,
• Exposure of sensitive information
to an unauthorized actor - CVE-2016-1550,
and
• Race condition - CVE-2016-4954
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to compromise the confidentiality, integrity, and availability of the device.
PKE Advisory
This advisory describes twelve vulnerabilities in the Siemens (and PKE) Control Center Server (CCS). The vulnerabilities were reported by Raphaël Rigo of Airbus Security Lab. Siemens (and PKE) has new versions that mitigate the vulnerabilities. There is no indication that Rigo has been provided an opportunity to verify the efficacy of the fix.
The 12 reported vulnerabilities are:
• Cleartext storage of sensitive
information in GUI - CVE-2019-13947,
• Improper authentication (2) - CVE-2019-18337
and CVE-2019-18341
• Relative path traversal - CVE-2019-18338,
• Use of a broken or risky cryptographic
algorithm - CVE-2019-18340,
• Exposed dangerous method or
function - CVE-2019-18342,
• Path traversal - CVE-2019-19290,
• Cleartext storage in a file or on
a disk - CVE-2019-19291,
• SQL Injection - CVE-2019-19292,
• Cross-site scripting (2) - CVE-2019-19293
and CVE-2019-19294, and
• Insufficient logging - CVE-2019-19295
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read and write arbitrary files and sensitive data and execute commands and arbitrary code.
NOTE: These vulnerabilities were removed from earlier Siemens Advisories, SSA-761617 and SSA-844761.
LOGO! Advisory
This advisory describes two vulnerabilities in the Siemens LOGO! engineering software products. The vulnerabilities were reported by Mashav Sapir from Claroty. Siemens provides generic workarounds to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Path traversal - CVE-2020-25243,
and
• Uncontrolled search path element - CVE-2020-25244
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a local attacker to take over the system where the software is installed.
NOTE: Someone slipped up on the listing of ‘Equipment’ and ‘Vulnerability’ in the ‘Executive Summary’ section of the advisory.
SINEMA Advisory
This advisory describes two vulnerabilities in the Siemens SINEMA Remote Connect Server. These are third-party vulnerabilities (libxml2). Siemens has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
• Missing release of resource after
effective lifetime - CVE-2019-19956,
and
• Infinite loop - CVE-2020-7595
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to cause a memory leak or an infinite loop situation resulting in a denial-of-service condition.
SCALANCE Advisory
This advisory describes two vulnerabilities in the Siemens Web Server of SCALANCE X200. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2021-25668,
and
• Stack-based buffer overflow - CVE-2021-25669
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause a buffer overflow condition resulting in remote code execution.
Solid Edge Advisory
This advisory describes five vulnerabilities in the Siemens Solid Edge software tools. The vulnerabilities were reported by Francis Provencher and rgod via ZDI. Siemens has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-28385,
CVE-2021-25678, CVE-2021-27380,
• Untrusted pointer dereference - CVE-2020-26997,
and
• Stack-based buffer overflow - CVE-2021-27382
NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerabilities to lead to a crash, arbitrary code execution, or data extraction on the target host system.
Nucleus Advisory #2
This advisory describes two infinite loop vulnerabilities in the Siemens Nucleus products. The vulnerabilities were self-reported. Siemens has a new version for one of the affected products that mitigates the vulnerabilities.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a denial-of-service condition.
Nucleus Advisory #3
This advisory describes two vulnerabilities in the Siemens Nucleus DNS module. These are two of the NAME:WRECK DNS vulnerabilities reported by Forescout and JSOF. Siemens provides generic work arounds to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-15795,
and
• Use of out-of-range pointer offset - CVE-2020-27009
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a denial-of-service condition or for the execution of code remotely.
NOTE: There were two additional Siemens’ advisories published today that were not covered by NCCIC-ICS. If they are not covered on Thursday, I will address them on Saturday.
JTEKT Advisory
This advisory describes an improper resource shutdown or release vulnerability in the JTEKT TOYOPUC products. The vulnerability was reported by Younes Dragoni from Nozomi Networks. JTEKT has provided generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthorized user to stop Ethernet communications between devices from being established.
Advantech Advisory
This advisory describes an incorrect permission assignment for critical resources in the Advantech WebAccess/SCADA. The vulnerability was reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs of Trend Micro. Advantech has a new version that mitigates the vulnerability. There is no indication that Toyama has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to login as an ‘admin’ to fully control the system.
Schneider Advisory
This advisory describes an improper restriction of XML external entity reference vulnerability in the Schneider SoMachine Basic products. The vulnerability was reported by Gjoko Krstikj of Applied Risk. Schneider has a new product that replaces the affected product and has updated the mitigation measures.
NOTE 1: This is actually based upon an update to a Schneider advisory that was published on May 22nd, 2018.
NOTE 2: Schneider also published
two advisories and two other updates today. If they are not covered by NCCIC-ICS
on Thursday, I will address them here on Saturday.
No comments:
Post a Comment