Saturday, May 1, 2021

Public ICS Disclosures – Week of 4-24-21

This week we three vendor NAME:WRECK disclosures from Boston Scientific, Braun, and Rockwell. We also have 14 vendor disclosures from Beckhoff, Bosch (2), B&R Industrial Automation, MB connect, CODESYS (5), Moxa, ODA, and Texas Instruments (2). We have five researcher reports for products from Advantech (4) and Siemens. Finally, we have exploits for products from OpenPLC and VMWare.

NAME:WRECK Advisories

Boston Scientific published an advisory discussing the NAME:WRECK vulnerabilities, announcing that they are investigating to see if any of their products are affected.

Braun published an advisory discussing the NAME:WRECK vulnerabilities, announcing that none of their ‘connected devices’ are affected.

Rockwell published an advisory discussing the NAME:WRECK vulnerabilities, providing a list of affected products and fixed versions.

Beckhoff Advisory

Beckhoff published an advisory describing an improper input validation vulnerability in their TwinCAT OPC UA Server and IPC Diagnostics UA Server. The vulnerability was reported by Industrial Control Security Laboratory of QI-ANXIN Technology Group. Beckhoff has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Bosch Advisories

Bosch published an advisory describing seven vulnerabilities in their ctrlX CORE - IDE App. These are third-party (OpenSSL and Python) vulnerabilities. The next version of the product will mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• Improper encoding or escaping of output - CVE-2020-26116 (exploit),

• Inadequate information (NIST ?) - CVE-2020-27619,

• HTTP request smuggling - CVE-2021-23336 (exploit),

• Integer overflow or wraparound - CVE-2021-23840, CVE-2021-23841,

• Classic buffer overflow - CVE-2021-3177 (exploit), and

• NULL pointer dereference - CVE-2021-3449

Bosch published an advisory describing an FTP backdoor in their Rexroth Fieldbus Couplers. Bosch provides generic workarounds.

B&R Advisory

B&R published an advisory describing an uncontrolled resource consumption vulnerability in their  I/O system and HMI components. This is a third-party (Siemens) vulnerability. B&R provides generic workarounds.

MB Advisory

CERT-VDE published an advisory discussing the DNSpooq vulnerabilities in the MB connect mbNET products. MB connect has new versions that mitigate the vulnerabilities.

CODESYS Advisories

CODESYS published an advisory [.PDF download link] describing a cross-site request forgery vulnerability in their CODESYS Automation Server. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing a NULL pointer dereference vulnerability in their CODESYS V3 products containing the CmpGateway. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing an insufficient verification of data authenticity vulnerability in their Development System V3. The vulnerability was reported by an OEM customer. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing describing an insufficient verification of data authenticity vulnerability in their Development System V3. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing an improper input validation vulnerability in their V3 products and Control V3 Runtime System Toolkit. The vulnerability was reported by Alexander Nochvay from Kaspersky Lab ICS CERT. CODESYS has a new version that mitigates the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

Moxa Advisory

Moxa published an advisory describing four vulnerabilities in their NPort IA5000A Series Serial Device Servers. The vulnerability was reported by Alexander Nochvay from Kaspersky Lab ICS CERT. Moxa has a new version to mitigate one of the vulnerabilities and workarounds for the others. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities:

• Improper access control - CVE-2020-27149,

• Unprotected storage of credentials - CVE-2020-27150,

• Cleartext transmission of sensitive information (2) - CVE-2020-27184 and CVE-2020-27185

ODA Advisory

ODA published an advisory describing an out-of-bounds write vulnerability in their Open Design Alliance Drawings SDK. ODA has a new version that mitigates the vulnerability.

NOTE: This is a very minimalist advisory.

TI Advisories

TI published an advisory discussing the BadAlloc vulnerabilities in their SimpleLink™ CC13XX, CC26XX, CC32XX and MSP432E4 products. TI provides generic work arounds for these vulnerabilities.

TI published an advisory describing an integer overflow vulnerability in their Networks Developers Kit. The vulnerability was reported by Omri Ben Bassat and David Atch of Microsoft. The product is no longer supported.

Advantech Report

The Zero Day Initiative published four reports for vulnerabilities in the Advantech WebAccess/HMI Designer products. The vulnerabilities were reported by kimiya and have been coordinated with NCCIC-ICS and an advisory from them is pending.

The four reported vulnerabilities are:

• Heap-based buffer overflow - ZDI-21-490 and ZDI-21-487,

• File parsing memory corruption- ZDI-21-489, and

• Out-of-bounds write - ZDI-21-488,

Siemens Report

ZDI published a report describing an information validation vulnerability in the Siemens JT2Go product. The vulnerability was reported by Michael DePlante. ZDI has been coordinating with NCCIC-ICS since last September.

OpenPLC Exploit

Fellipe Oliveira published an exploit for a remote code execution vulnerability in the OpenPLC product. There is no CVE provided and no indications of coordination with the vendor. This may be a 0-day vulnerability.

VMware Exploit

Egor Dimitrenko published a Metasploit module for two vulnerabilities in the VMware vRealize Operations Manager. The vulnerabilities were reported by VMware on March 31st, 2021.

The two exploited vulnerabilities are:

• Server-side request forgery - CVE-2021-21975, and

• Arbitrary file write - CVE-2021-21983


No comments:

 
/* Use this with templates/template-twocol.html */