Today CISA’s NCCIC-ICS published fifteen control system security advisories for products from Siemens (13), Mitsubishi, and Omron. NCCIC-ICS also published six updates today, I will cover them in a separate blog post tomorrow.
SIMATIC Advisory #1
This advisory describes two vulnerabilities in the Siemens SIMATIC S7-1500 CPU 1518F-4. These are third-party (Intel) vulnerabilities. Siemens provides generic work arounds to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Improper initialization - CVE-2020-8744,
and
• Improper restriction of operation within the bound of a memory buffer - CVE-2020-0591
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow unauthorized privilege escalation.
SCALANCE Advisory #1
This advisory describes 19 vulnerabilities in the Siemens SCALANCE W1750D. These are third-party vulnerabilities (Aruba Instant Access Points). Siemens has a new version that mitigates the vulnerabilities.
The 19 vulnerabilities are:
• Improper authentication (2) - CVE-2019-5317
and CVE-2021-25143,
• Classic buffer overflow (3) - CVE-2019-5319,
CVE-2021-25144, and CVE-2021-25149,
• Command injection (5) - CVE-2020-24635,
CVE-2020-24636, CVE-2021-25146, CVE-2021-25150, and CVE-2021-25162,
• Improper input validation (7) - CVE-2021-25145,
CVE-2021-25148, CVE-2021-25155, CVE-2021-25156, CVE-2021-25157, CVE-2021-25159,
and CVE-2021-25160,
• Race condition - CVE-2021-25158,
and
• Cross-site scripting - CVE-2021-25161
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute arbitrary code as a privileged user on the underlying operating system, fully compromise the underlying operating system, overwrite sensitive system files, create a denial-of-service condition, execute arbitrary script code in a victim’s browser, read arbitrary files off the underlying file system, create an attacker named directory, corrupt backup files, or obtain sensitive information.
NOTE: I briefly discussed the Aruba vulnerabilities back in March.
SINAMICS Advisory #1
This advisory describes a missing authentication for critical function in the Siemens SINAMICS Medium Voltage Products. This vulnerability is self-reported. Siemens has new versions that mitigate the vulnerablity.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to gain full remote access to the HMI.
NOTE: This same Telnet service vulnerability was reported in the Siemens SIMATIC HMI Comfort Panels back in February.
SIMATIC Advisory #2
This advisory describes seven vulnerabilities in the Siemens SIMATIC HMIs/WinCC products. These are third-party (SmartVNC) vulnerabilities. Siemens has updates that mitigate the vulnerabilities. Siemens has updates that mitigate the vulnerabilities.
The seven reported vulnerabilities are:
• Access of memory location after
end of buffer (3) - CVE-2021-25660, CVE-2021-25661, and CVE-2021-27384,
• Improper handling of exceptional
conditions - CVE-2021-25662,
• Improper restriction of operations
within the bounds of a memory buffer (2) - CVE-2021-27383 and CVE-2021-27386,
• Uncontrolled resource consumption - CVE-2021-27385,
NCCIC-ICS reported that an uncharacterized attacker could remotely exploit the vulnerabilities to allow remote code execution, information disclosure and denial of service attacks under certain conditions.
SIMATIC Advisory #3
This advisory describes ten vulnerabilities in the Siemens SIMATIC HMIs/WinCC Products. These are third party (UltraVNC) vulnerabilities. Siemens has updates that mitigate the vulnerabilities.
The ten reported vulnerabilities are:
• Improper initialization (2) - CVE-2019-8259
and CVE-2019-8277,
• Out-of-bounds read (2) - CVE-2019-8260
and CVE-2019-8261,
• Heap-based buffer overflow - CVE-2019-8262,
• Stack-based buffer overflow - CVE-2019-8263,
• Access memory location after
buffer (3) - CVE-2019-8264,
CVE-2019-8265,
and CVE-2019-8280,
• Improper null termination - CVE-2019-8275,
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution, information disclosure, and denial-of-service attacks under certain conditions.
NOTE: These vulnerabilities were reported in the Siemens SINUMERIK products back in June of 2020. That advisory included 22 vulnerabilities.
SCALANCE Advisory #2
This advisory describes an incorrect calculation vulnerability in the Siemens SCALANCE XM-400, XR-500 products. The vulnerability is self-reported. Siemens has updates available that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated remote attacker to create a permanent denial-of-service condition.
Mendix Advisory #1
This advisory describes a generation of error message containing sensitive information in the Siemens Mendix Excel Importer. The vulnerability is self-reported. Mendix has an update that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to expose information to unauthorized parties.
Tecnomatix Advisory
This advisory describes three vulnerabilities in the Siemens Tecnomatix Plant Simulation. The vulnerabilities were reported by Francis Provencher via the Zero Day Initiative. Siemens has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
•Stack-based buffer overflow - CVE-2021-27396
and CVE-2021-27398, and
• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-27397
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to arbitrary code execution.
SIMATIC Advisory #4
This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC CP343-1 devices. The vulnerability is self-reported. Siemens has provided a generic workaround to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.
SNMP Implementation Advisory
This advisory describes an out-of-bounds write vulnerability in the Siemens SNMP Implementation of WinCC Runtime. The vulnerability was reported by Younes Dragoni and Alessandro Di Pinto of Nozomi Networks. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to crash the SNMP service and require a manual restart of the device to resume operation of the service.
NOTE: Someone has been holding onto this vulnerability (CVE-2019-19276) for a while because there is no listing for it in either the NIST or Mitre databases.
Mendix Advisory #2
This advisory describes a generation of error message containing sensitive information vulnerability in the Siemens Mendix Database Replication Module. The vulnerability is self-reported. Mendix has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to gain access to sensitive information.
SINAMCS Advisory #2
This advisory describes a missing authentication for critical function vulnerability in the Siemens SINAMICS Medium Voltage Products. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to gain full remote access to the HMI.
NOTE: The Siemens advisory (SSA-752103) mentioned in this advisory does not correspond to the CVE reported by NCCIC-ICS. In fact, the Siemens advisory CVE corresponds to ICSA-21-131-13 reported in SINAMICS Advisory #1 above which also references SSA-752103. None of the other Siemens’ advisories published today report CVE-2021-31337 that is being reported by NCCIC-ICS in this advisory, and that CVE appears to be well out of the current NCCIC-ICS CVE sequence. I am not sure what is going on here.
Siemens Linux Advisory
This advisory describes a use of insufficiently random variables vulnerability in the Siemens Linux based products. This is the Sad DNS vulnerability and proof-of-concept code is available on the report site. Siemens has updates available to mitigate the vulnerability in some of the affected products.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to compromise confidentiality and integrity.
NOTE: Siemens has previously added CVE for this vulnerability to their generic GNU/Linux subsystem advisory.
Mitsubishi Advisory
This advisory describes a buffer access with incorrect length vulnerability in the Mitsubishi GOT and Tension Controller. The vulnerability was reported by Parul Sindhwad and Dr. Faruk Kazi of COE-CNDS Lab, VJTI, Mumbai, India. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to to stop the communication function of the products, requiring a reset to regain functionality.
Omron Advisory
This advisory describes a stack-based buffer overflow in the Omron CX-One automation software suite. The vulnerability was reported by rgod via ZDI. Omron has an updated version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to may allow arbitrary code execution.
Other Advisories
Siemens published one other advisory today that was not reported
by NCCIC-ICS. If it is not covered Thursday by NCCIC-ICS then I will discuss it
this weekend.
Posts
No comments:
Post a Comment