Saturday, May 22, 2021

Public ICS Disclosures – Week of 5-15-21

This week we have seven vendor disclosures from Bosch, CODESYS (2), WAGO, ENDRESS+HAUSER, Siemens, and VMware. We have two vendor updates from Siemens. Finally, we have a researcher report for products from Advantech.

Bosch Advisory

Bosch published an advisory discussing an input validation vulnerability in their IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC application products. This is a third-party (CODESYS) vulnerability. An update for the ctrlX CORE PLC APP is pending. Generic mitigation measures are provided.

CODESYS Advisories

CODESYS published an advisory describing an improper input validation vulnerability in their CODESYS V3 products. The vulnerability was reported by  Alexander Nochvay from Kaspersky Lab ICS CERT. CODESYS has software updates available to mitigate the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory describing a NULL pointer dereference vulnerability in their CODESYS V3 products. The vulnerability was reported by Uri Katz of Claroty. CODESYS has new versions available that mitigate the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

WAGO Advisory

CERT-VDE published an advisory discussing twelve vulnerabilities in the WAGO PLCs. These are third-party (CODESYS) vulnerabilities that were reported by JSC Positive Technologies. WAGO has new firmware versions available that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Allocation of resources without limit or throttling - CVE-2021-21000,

• Path traversal - CVE-2021-21001,

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow (2) - CVE-2021-30188, CVE-2021-30189,

• Improper input validation - CVE-2021-30195,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193,

• Out-of-bounds read - CVE-2021-30194,

• Improper neutralization of special elements used in an OS command - CVE-2021-30187

NOTE: The first two vulnerabilities have apparently not yet been addressed by CODESYS and have been given CERT-VDE CPE numbers.

ENDRESS+HAUSER Advisory

CERT-VDE published an advisory discussing the KRACK attacks vulnerabilities in the ENDRESS+HAUSER Proline portfolio flow meter products. ENDRESS+HAUSER has firmware updates that mitigate the vulnerabilities.

Siemens Advisory

Siemens published an advisory describing five vulnerabilities in their n JT2Go and Teamcenter Visualization products. The vulnerabilities were reported by the Zero Day Initiative and Carsten Eiram from Risk Based Security. Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

Untrusted pointer dereference - CVE-2020-26991,

Out-of-bounds read (3) - CVE-2020-26998, CVE-2020-26999, and CVE-2020-27002, and

Stack-buffer overflow - CVE-2020-27001

NOTE: Apparently, none of the above vulnerabilities are the 0-day vulnerability that ZDI published for this product on April 28th.

VMWare Advisory

VMWare published an advisory describing three out-of-bounds read vulnerabilities in their VMware Workstation and Horizon Client for Windows. This is a third-party (Cortado ThinPrint) vulnerability. The vulnerabilities were published by Anonymous at ZDI and Hou JingYi of Qihoo 360. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Cortado web site make the following claim about ThinPrint, so these vulnerabilities may exist in other ICS products.

“Thanks to numerous OEM partnerships, ThinPrint technology components are integrated in a variety of terminals, print boxes and thin client of leading hardware manufacturers.”

Siemens Updates

Siemens published an update for their JT2Go and Teamcenter Visualization advisory that was originally published on January 12th, 2021 and most recently updated on February 9th, 2021. The new information includes:

• Moving vulnerabilities CVE-2020-26989, CVE-2020-26990, and CVE-2020-28383

to advisory SSA-663999 (see below), and

• Moving vulnerabilities d CVE-2020-26991 to SSA-695540 (see new advisory above).

NOTE: NCCIC-ICS should be updating their advisory, ICSA-21-012-03, this coming week.

Siemens published an update for their JT2Go and Teamcenter Visualization advisory that was originally published on February 9th, 2021. The new information includes:

• Removing vulnerabilities CVE-2020-26991, CVE-2020-26998, CVE-2020-26999, CVE-2020-27001, and CVE-2020-27002, and

• Adding vulnerabilities CVE-2020-28383, CVE2021-31784 (from update above).

NOTE: NCCIC-ICS should be updating their advisory, ICSA-21-040-06, this coming week.

Advantech Report

ZDI published a report describing a use of hard-coded credentials vulnerability in the Advantech BB-ESWGP506-2SFP-T industrial switches. ZDI coordinated the disclosure with NCCIC-ICS.

No comments:

 
/* Use this with templates/template-twocol.html */