Thursday, April 29, 2021

4 Advisories Published – 4-29-21

Today, CISA’s NCCIC-ICS published control system security advisories for products from multiple RTOS vendors, Johnson Controls, Cassia Networks, and Texas Instruments.

RTOS Advisory

This advisory describes 23 [corrected typo '13' to '23', 4-30-21 0853 EDT] different integer overflow or wraparound vulnerabilities in multiple real-time operating systems (RTOS). The vulnerabilities were discovered by Microsoft’s Section 52, the Azure Defender for IoT security research group and are collectively named BadAlloc. The advisory provides links to updated versions for most of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in unexpected behavior such as a crash or a remote code injection/execution.

NOTE: NCCIC-ICS has updated their remote access – VPN guidance:

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.”

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in Johnson Controls exacqVision Network Video Recorder running on unpatched versions of the Ubuntu operating system. This is a third-party (Sudo) vulnerability and there are exploits reported (here, here, and here for example). Johnson Controls recommends updating the Ubuntu operating systems to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability to  obtain “Super User” access to the underlying Ubuntu Linux operating system.

Cassia Advisory

This advisory describes a path traversal vulnerability for the Cassia Networks Access Controller. The vulnerability was reported by Amir Preminger and Sharon Brizinov of Claroty. Cassia has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read any file from the Access Controller server.

TI Advisory

This advisory describes five vulnerabilities in the Texas Instruments SimpleLink Wi-Fi products. The vulnerabilities were reported by David Atch and Omri Ben Bassat from Microsoft. TI has software versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Integer overflow or wraparound (4) - CVE-2021-22677, CVE-2021-22675, CVE-2021-22679, and CVE-2021-22671, and

• Stack-based buffer overflow - CVE-2021-22673

No comments:

/* Use this with templates/template-twocol.html */