Tuesday, May 25, 2021

2 Advisories Published – 5-25-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell Automation and Datakit Libraries.

Rockwell Advisory

This advisory describes a channel accessible by non-endpoint vulnerability in the Rockwell Micro800, MicroLogix 1400 controllers. The vulnerability was reported by Hyunguk Yoo from The University of New Orleans, as well as Adeen Ayub and Irfan Ahmed from Virginia Commonwealth University. Rockwell provides generic work arounds for the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker can remotely exploit the vulnerability to may result in denial-of-service conditions, which may require a firmware flash to recover.

NOTE: The Rockwell advisory recommends blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222  using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. This is not mentioned in the NCCIC-ICS guidance.

DataKit Advisories

This advisory describes five vulnerabilities in the DataKit Software libraries embedded in Luxion KeyShot software. The vulnerabilities were reported by rgod via the Zero Day Initiative. DataKit has a new version that mitigates the vulnerabilities and Luxion has a new version that contains the new DataKit version.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2021-27488,

• Improper restrictions on XML external entity reference - CVE-2021-27492,

• Stack-based buffer overflow - CVE-2021-27494,

• Untrusted pointer dereference - CVE-2021-27496, and

• Out-of-bounds read - CVE-2021-27490

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to execution of arbitrary code and disclosure of arbitrary files to unauthorized actors.

No comments:

/* Use this with templates/template-twocol.html */