Today CISA’s NCCIC-ICS published two control system security advisories for products from EIPStackGroup and Schneider Electric.
EIPStackGroup Advisory
This advisory describes four vulnerabilities in the EIPStackGroup OpENer EtherNet/IP stack. The vulnerabilities were reported by Tal Keren and Sharon Brizinov of Claroty. The Claroty report includes proof-of-concept code. EIPStackGroup has new commits that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• Incorrect conversion
between numeric types - CVE-2021-27478,
• Out-of-bounds read - CVE-2021-27482,
and
• Reachable assertion (2) - CVE-2021-27500 and CVE-2021-27498
NOTE: The Claroty report includes a fifth vulnerability: out-of-bounds write - CVE-2020-13556.
The NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a denial-of-service condition and data exposure.
Schneider Advisory
This advisory describes five vulnerabilities in the Schneider C-Bus Toolkit. The vulnerabilities were reported by rgod, and Simon Zuckerbraun via the Zero Day Initiative. Schneider has newer versions that mitigates the vulnerabilities. There was no indication that the researchers were provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Improper privilege
management - CVE-2021-22716,
• Path traversal (4) - CVE-2021-22717, CVE-2021-22718, CVE-2021-22719, and CVE-2021-22720.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution.
NOTE 1: This looks like a third-party product from Clipsal, so the stand-alone Clipsal product may have the same vulnerabilities and other vendors may be using the same software.
Commentary
We are seeing more and more of these ‘stack’ advisories. Claroty followed the same tack that Forescout took earlier this week by releasing the fuzzing tool that they used to find these reported vulnerabilities. This is going to ensure that more researchers will be doing research on these stacks and finding new vulnerabilities. Researchers will also be able to identify end-products that use the currently reported vulnerable stacks.
I was surprised on Tuesday when NCCIC-ICS did not publish a
single advisory for the NAME:WRECK vulnerabilities and simply list the individual
Siemens advisories that reflected those vulnerabilities. They could then have
added additional products to the ‘affected list’ once other vendors start
reporting their vulnerable products. That is almost certainly what they intend
to do with today’s EIPStackGroup advisory.
No comments:
Post a Comment