Today CISA’s NCCIC-ICS published four control system security advisories for products from Unified Automation, OPC Foundation, Johnson Controls, and Rockwell.
Unified Automation Advisory
This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Unified Automation .NET based OPC UA Client/Server SDK Bundle. The vulnerability was reported by Eran Jacob with the Otorio Research Team. UA has new software to mitigate the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an unauthenticated attacker
to read any file on the file system.
NOTE: NCCIC-ICS reports that the vulnerability was originally documented by Microsoft in CVE-2015-6096.
OPC Foundation Advisory
This advisory describes an uncontrolled recursion vulnerability in the OPC Foundation OPC UA Servers. The vulnerability was reported by Eran Jacob with the Otorio Research Team. OPC has an update that mitigates the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to trigger a stack overflow.
Johnson Controls Advisory
This advisory describes an off-by-one error vulnerability in the Sensormatic Electronics Tyco AI. This is a third-party (SUDO) vulnerability with multiple published exploits (see here, here, and here for instance). Johnson Controls has a new version that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to obtain super-user access to the underlying openSUSE Linux operating system.
NOTE: The Johnson Control advisory says the product is the American Dynamics Tyco AI.
Rockwell Advisory
This advisory describes three vulnerabilities in the Rockwell Connected Components Workbench. The vulnerability was reported by Mashav Sapir of Claroty. Rockwell has a new version that mitigates the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Deserialization of untrusted data
- CVE-2021-27475,
• Path traversal - CVE-2021-27471,
and
• Improper input validation - CVE-2021-27473
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow remote code execution,
authentication bypass, or privilege escalation.
Posts
No comments:
Post a Comment