Thursday, May 13, 2021

4 Advisories Published – 5-13-21

Today CISA’s NCCIC-ICS published four control system security advisories for products from Unified Automation, OPC Foundation, Johnson Controls, and Rockwell.

Unified Automation Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Unified Automation .NET based OPC UA Client/Server SDK Bundle. The vulnerability was reported by Eran Jacob with the Otorio Research Team. UA has new software to mitigate the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to read any file on the file system.

 

NOTE: NCCIC-ICS reports that the vulnerability was originally documented by Microsoft in CVE-2015-6096.

OPC Foundation Advisory

This advisory describes an uncontrolled recursion vulnerability in the OPC Foundation OPC UA Servers. The vulnerability was reported by Eran Jacob with the Otorio Research Team. OPC has an update that mitigates the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to trigger a stack overflow.

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in the Sensormatic Electronics Tyco AI. This is a third-party (SUDO) vulnerability with multiple published exploits (see here, here, and here for instance). Johnson Controls has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to obtain super-user access to the underlying openSUSE Linux operating system.

NOTE: The Johnson Control advisory says the product is the American Dynamics Tyco AI.

Rockwell Advisory

This advisory describes three vulnerabilities in the Rockwell Connected Components Workbench. The vulnerability was reported by Mashav Sapir of Claroty. Rockwell has a new version that mitigates the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2021-27475,

• Path traversal - CVE-2021-27471, and

• Improper input validation - CVE-2021-27473

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution, authentication bypass, or privilege escalation.

No comments:

 
/* Use this with templates/template-twocol.html */