Saturday, May 8, 2021

Public ICS Disclosures – Week of 5-1-21

This week we have four vendor disclosures from ABB (2), WAGO, and WEIDMUELLER. There are vendor updates from Dell and Rockwell Automation. We have ten researcher reports for vulnerabilities in products from Delta Industrial Automation.

ABB Advisories

ABB published an advisory discussing the NAME:WRECK vulnerabilities in their AC 800PEC controller based products. ABB provides generic workarounds for the vulnerablity.

NOTE: The NAME:WRECK vulnerability associated with the ABB products is CVE-2016-20009 (WindRiver VxWorks). A report with exploit code was published for this vulnerability in August 2016. See page 9 of the NAME:WRECK report for commentary on this situation.

ABB published an advisory describing a path traversal vulnerability in the Cassia Access Controller for their Ability™ Smart Sensor. The vulnerability was reported by Claroty. ABB reports that the vulnerability has been patched an no action is needed.

WAGO Advisory

CERT-VDE published an advisory describing six vulnerabilities in the Web-Based Management (WBM) of WAGOs industrial managed switches. The vulnerabilities were reported by Dr. Tobias Augustin and Stephan Tigges of IKS, and Kai Gaul and Jan Rubenach of ABO Wind. WAGO has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Exposure of sensitive information to an unauthorized actor - CVE-2021-20993,

• Cross-site scripting - CVE-2021-20994,

• Storage of user credentials in a cookie - CVE-2021-20995,

• Incorrect permission assignment for critical resource - CVE-2021-20996, and

• Insufficiently protected credentials - CVE-2021-20997


CERT-VDE published an advisory describing an exposure of resource to wrong sphere vulnerability in the WEIDMUELLER u-controls and IoT-Gateways. The vulnerability is self-reported. WEIDMUELLER has a new version that mitigates the vulnerability.

Dell Update

Dell published an update for their Wyse ThinOS advisory that was originally published on March 31st, 2021. There is no indication of what has changed in the advisory.

Rockwell Update

Rockwell published an update for their Logix Controllers advisory that was originally published on February 25th, 2021. The new information includes updating mitigation measures for 1783-CSP CIP Security Proxy.

NOTE: I suspect that NCCIC-ICS will update their advisory in the coming week.

Delta Reports

The Zero Day Initiative published 10 reports (ZDI-21-510 thru ZDI-21-519) for out-of-bounds read vulnerabilities in the Delta DOPSoft products. The vulnerabilities were reported by Natnael Samson. The vulnerabilities have been coordinated with NCCIC-ICS.

No comments:

/* Use this with templates/template-twocol.html */