Review – 4 Advisories and 2 Updates – 2-9-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Horner Automation, Johnson Controls, LS ELECTRIC, and Control By Web. They also update two advisories for products from ARC and Omron.

Advisories

Horner Advisory - This advisory describes three vulnerabilities in the Horner Cscape Envision RV, a control system remote access management software.

Johnson Control Advisory - This advisory describes two vulnerabilities in the Johnson Controls Metasys System Configuration Tool.

LS ELECTRIC Advisory - This advisory describes seven vulnerabilities in the LS ELECTRIC XBC-DN32U PLC performance module.

Control By Web Advisory - This advisory describes two vulnerabilities in the Control By Web X-400 and X-600M, web enabled I/O Controllers.

Updates

ARC Update - This update provides additional information on an advisory that was originally published on December 20^th, 2022.

NOTE: I briefly discussed ARC’s update on January 28^th, 2023.

Omron Update - This update provides additional information on an advisory that was originally published on June 28^th, 2022.

 

For more information on these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-2-updates-2-9-23 - subscription required.

Review – 5 Advisories and 1 Update Published – 12-20-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Delta Industrial, Rockwell Automation (2), ARC, and Fuji Electric. They also updated an advisory for products from Prosys.

Advisories

Delta Advisory - This advisory describes a command injection vulnerability in the Delta DX-3021 4G Router.

Rockwell Advisory #1 - This advisory two vulnerabilities in the Rockwell MicroLogix—a line of programmable logic controllers (PLCs).

NOTE – I briefly discussed these vulnerabilities Sunday.

Rockwell Advisory #2 - This advisory describes an improper input validation vulnerability in the Rockwell GuardLogix and ControlLogix controllers.

NOTE – I briefly discussed these vulnerabilities Sunday.

ARC Advisory - This advisory describes two vulnerabilities in the ARC PcVue SCADA software. The vulnerabilities are self-reported.

NOTE: I briefly discussed one of the vulnerabilities on November 26^th, 2022.

Fuji Advisor - This advisory describes two vulnerabilities in the Fuji Electric Tellus Lite V-Simulator.

Update

Prosys Update - This update provides additional information on an advisory that was originally published on December 15^th, 2022.

 

For more details about these vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-462 - subscription required. 

Review – 2 Advisories and 4 Updates Published – 9-29-22

Today CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi Energy. They also updated four advisories for products from Baxter, ARC, and Delta Electronics (2).

Hitachi Energy Advisory # 1 - This advisory describes five vulnerabilities in the Hitachi Energy MicroSCADA Pro/X SYS600. The vulnerabilities are self-reported.

NOTE: I briefly discussed these vulnerabilities on September 10^th, 2022.

Hitachi Energy Advisory #2 - This advisory describes a reliance on uncontrolled component vulnerability in the MicroSCADA Pro/X SYS600.

NOTE: I briefly discussed these vulnerabilities on September 10^th, 2022.

Baxter Update - This update provides additional information on an advisory that was originally published on September 8^th, 2022.

ARC Update - This update provides additional information on an advisory that was originally published on August 23, 2022.

NOTE: I briefly discussed these changes in the PcVue update.

Delta Update #1 - This update provides additional information on an advisory that was originally published on September 1^st, 2022.

Delta Update #2 - This update provides additional information on an advisory that was originally published on July 1^st, 2021 and most recently updated on July 27^th, 2021 (not 2022).

 

For more details about these advisories, including links to third-party advisories and a brief description of changes made in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-4-updates-published-0a1 - subscription required.

5 Updates Published – 1-5-21

Yesterday CISA’s NCCIC-ICS updated five control system security advisories for products from Mitsubishi, Yokogawa, Johnson Controls, ARC and PTC.

Mitsubishi Update

This update provides additional information on an advisory that was originally published on July 30^th, 2020. The new information includes updating affected version information and mitigation measures for GT SoxGOT1000 Version3.

Yokogawa Update

This update provides additional information on an advisory that was originally published on August 11^th, 2020. The new information includes adding Exaopc to the list of affected products and providing mitigation measures for that product.

NOTE: I briefly mentioned Yokogawa’s update that was the basis for this update back in early December.

Johnson Controls Update

This update provides additional information on an advisory that was originally published on October 8^th, 2020. The new information includes adding the Software House C•CURE Web Client to the list of affected products and providing mitigation measures for that product.

NOTE: Looking at the Johnson Control’s advisory, it looks like NCCIC-ICS updated the wrong advisory. It should have been ICSA-20-324-01 that was published on  November 17^th, 2020. Similar vulnerabilities were involved but the CVE number was different (CVE-2020-9049 not CVE-2020-9048).

ARC Update

This update provides additional information on an advisory that was originally published on November 3^rd, 2020. The new information includes additional mitigation measures for Version 12 (12.0.17 Maintenance Release) and Version 11.2 (11.2.06097 Update).

PTC Update

This update provides additional information on an advisory that was originally published on December 17^th, 2020. The new information includes updated affected version information and mitigation measures for Rockwell Automation KEPServer Enterprise.

NOTE: This information was available in the Rockwell advisory that was published on December 17^th, 2020.

3 Advisories Published – 11-3-20

Today the CISA NCCIC-ICS published three control system security advisories for products from ARC Informatique, NEXCOM, and WAGO.

ARC Advisory

This advisory describes three vulnerabilities in the ARC PcVue. The vulnerabilities were reported by Sergey Temnikov and Andrey Muravitsky of Kaspersky Lab. ARC has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2020-26867,

• Access to critical private variable via public method - CVE-2020-26868, and

• Information exposure of sensitive information to an unauthorized actor - CVE-2020-26869

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute arbitrary code, expose sensitive data, and prevent legitimate users from connecting to PcVue services.

NEXCOM Advisory

This advisory describes two vulnerabilities in the NEXCOM NIO 50 IoT Gateway. The vulnerabilities were reported by the Zero Day Initiative. NEXCOM no longer supports the NIO 50 product.

The two reported vulnerabilities are:

• Improper input validation - CVE-2020-25151, and

• Cleartext transmission of sensitive information - CVE-2020-25155

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to view sensitive information and cause a denial-of-service condition due to improper input validation.

WAGO Advisory

This advisory describes an uncontrolled resource consumption vulnerability. This vulnerability was reported by William Knowles of Applied Risk. WAGO has new firmware that mitigates the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to crash the device being accessed using a denial-of-service attack.

NOTE 1: I briefly discussed this vulnerability last Saturday.

NOTE 2: The researcher acknowledgement section of this advisory is a little confusing. William Knowles of Applied Risk reported the vulnerability via CERT@VDE.