Review – 3 Advisories and 1 Update Published – 8-17-21

 Today CISA’s NCCIC-ICS published three control system security advisories for products from xArrow, Advantech, and ThroughTek. They also updated an advisory for products for multiple RTOS.

xArrow Advisory - This advisory describes three vulnerabilities in the xArrow SCADA/HMI.

Advantech Advisory - This advisory describes an improper authentication vulnerability in the Advantech WebAccess network management system (NMS).

ThroughTek Advisory - This advisory describes an improper access control vulnerability in their Kalay P2P software development kit (SDK).

Multiple RTOS Update - This update provides additional information for an advisory that was originally published on April 29^th, 2021 and most recently updated on May 20^th, 2021.

NOTE: CISA’s National Cyber Awareness System (NCAS) published a separate advisory for the BlackBerry BadAlloc vulnerabilities covered in this Update.

 

For more details about these advisories, including links to proof-of-concept code and plenty of editorial notes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published - subscription required.

4 Advisories Published – 4-29-21

Today, CISA’s NCCIC-ICS published control system security advisories for products from multiple RTOS vendors, Johnson Controls, Cassia Networks, and Texas Instruments.

RTOS Advisory

This advisory describes 23 [corrected typo '13' to '23', 4-30-21 0853 EDT] different integer overflow or wraparound vulnerabilities in multiple real-time operating systems (RTOS). The vulnerabilities were discovered by Microsoft’s Section 52, the Azure Defender for IoT security research group and are collectively named BadAlloc. The advisory provides links to updated versions for most of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in unexpected behavior such as a crash or a remote code injection/execution.

NOTE: NCCIC-ICS has updated their remote access – VPN guidance:

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.”

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in Johnson Controls exacqVision Network Video Recorder running on unpatched versions of the Ubuntu operating system. This is a third-party (Sudo) vulnerability and there are exploits reported (here, here, and here for example). Johnson Controls recommends updating the Ubuntu operating systems to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability to  obtain “Super User” access to the underlying Ubuntu Linux operating system.

Cassia Advisory

This advisory describes a path traversal vulnerability for the Cassia Networks Access Controller. The vulnerability was reported by Amir Preminger and Sharon Brizinov of Claroty. Cassia has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read any file from the Access Controller server.

TI Advisory

This advisory describes five vulnerabilities in the Texas Instruments SimpleLink Wi-Fi products. The vulnerabilities were reported by David Atch and Omri Ben Bassat from Microsoft. TI has software versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Integer overflow or wraparound (4) - CVE-2021-22677, CVE-2021-22675, CVE-2021-22679, and CVE-2021-22671, and

• Stack-based buffer overflow - CVE-2021-22673