Sunday, May 16, 2021

Public ICS Disclosures – Week of 5-8-21, Part 2

This week we have five additional vendor notifications from QNAP (2), VMware, and Siemens (2). We also have two vendor updates from Siemens. We also have nine researcher reports for products from Moxa (4), and Siemens (5). Finally, we have three exploits for ScadaBR (2) and OpenPLC.

The sharp-eyed reader will have noted that I have not mentioned Schneider at all in yesterday’s or today’s posts. Schneider published seven new advisories and six updates on Tuesday. I am going to have to do a ‘Part 3’ to my Public ICS Disclosures post this week. I will try to get it out later today.

QNAP Advisories

QNAP published an advisory describing a command injection vulnerability in their NAS running Malware Remover 4.x. The vulnerability was reported by polict of Shielder via the Zero Day Initiative. QNAP has an update that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

QNAP published an advisory discussing eCh0raix Ransomware. QNAP is taking the unusual step of noting that the eCh0raix ransomware has been reported to affect QNAP NAS devices. There is no mention of a particular vulnerability being used, but they do recommend (among other generic mitigation measures) not using ports 443 or 8080.

VMware Advisory

VMware published an advisory describing a cross-site scripting vulnerability in their Workspace ONE UEM console. The vulnerability was reported by Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG. VMware has patches that mitigate the vulnerability. There is no indication that Holtmann has been provided an opportunity to verify the efficacy of the fix.

Siemens Advisories

Siemens published an advisory describing 13 vulnerabilities in their SINAMICS medium voltage products. Siemens has new versions for some of the products that mitigate the vulnerabilities.

The 13 reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer (2) - CVE-2021-27383 and CVE-2021-27385,

• Access memory location after the end of buffer (2) - CVE-2021-27384 and CVE-2019-8280,

• Uncontrolled resource allocation - CVE-2021-27385,

• Improper initialization (4) - CVE-2019-8259, CVE-2019-8264,  CVE-2019-8265, andCVE-2019-8277,

• Out-of-bounds read (2) - CVE-2019-8260 and CVE-2019-8261,

• Heap-based buffer overflow - CVE-2019-8262,

• Stack-based buffer overflow - CVE-2019-8263,

• Improper Null termination - CVE-2019-8275,

NOTE 1: The CVE’s above with links were previously discussed by Kaspersky Labs in a report on VNC vulnerabilities.

NOTE 2: Many of these vulnerabilities were also reported earlier this week by NCCIC-ICS in the Siemens SIMATIC HMIs/WinCC Products and in the Siemens SINUMERIK products back in June of 2020

COMMENT: Siemens has been aware of these VNC problems for quite some time. I am surprised that they are just now getting around to reporting/fixing these problems in the two product lines being reported this week. I suspect that this is a problem that may have been prevented by use of a good software bill of materials.

Siemens published an advisory discussing four vulnerabilities in their Industrial PCs and CNC devices. These are third-party (Intel) vulnerabilities. Siemens is recommending updating the Bios on some of the affected products.

The four reported vulnerabilities are:

• Improper isolation of shared resources in System-on-a-chip - CVE-2020-8698,

• Improper privilege management - CVE-2020-8745,

• Improper authentication - CVE-2020-8694, and

• Improper input validation - CVE-2020-0590

Siemens Updates

Siemens published an update for their GNU/Linux subsystem advisory that was was originally published in 2018 and most recently updated on March 13th, 2021. The new information includes:

Adding the following CVEs:



CVE-2021-20305, and

Clarifying that the list of vulnerabilities is no longer maintained for versions below V2.8.4.

Siemens published an update for their DNSpooq – Dnsmasq advisory that was originally published on January 19th, 2021 and most recently updated on March 13th, 2021. The new information includes clarifying that a solution for SCALANCE W1750D is not expected.

NOTE: NCCIC-ICS does not update their DNSSpooq advisory for changes in vendor advisories since the NCCIC-ICS advisory links to the latest version of the vendor advisory.

Moxa Reports

Kaspersky published four reports for vulnerabilities in the Moxa NPort IA5000A Series. Moxa reported on these vulnerabilities on April 28th, 2021. The CVEs covered in the Kaspersky reports are:



CVE-2020-27150, and


NOTE: Links are to the respective Kaspersky reports.

Siemens Reports

ZDI published five reports of vulnerabilities in the Siemens Solid Edge Viewer. The vulnerabilities were reported by rgod. The vulnerabilities have been coordinated thru NCCIC-ICS with Siemens, but Siemens has not yet published an advisory for these issues. It has, however, provided CVE numbers for the vulnerabilities. The reported vulnerabilities in the ZDI reports are:

• Improper restriction of XML External Entity - CVE-2021-27492,

• Improper validation of user supplied data - CVE-2021-27490,

• Untrusted pointer dereference - CVE-2021-27496,

• Stack-based buffer overflow - CVE-2021-27494, and

• Out-of-bounds write - CVE-2021-27488

NOTE: Links are to the respective ZDI report.

ScadaBR Exploits

Fellipe Oliveira published two different exploits for a vulnerability in ScadaBr. There is a CVE number (CVE-2021-26828) provided but there is no information on that CVE in either the Mitre or NIST databases. These may be 0-day exploits. The exploits employ separate techniques:

Authenticated arbitrary file upload, and

Linux shell upload

NOTE: Links are to the exploit reports.

OpenPLC Exploit

Fellipe Oliveira published an exploit for a remote code execution vulnerability in the OpenPLC WebServer. There is no CVE number or reference to vendor notification. This may be a 0-day exploit.

No comments:

/* Use this with templates/template-twocol.html */