Review – 18 Advisories and 1 Update Published

Today, CISA’s NCCIC-ICS published 17 control system security advisories for products from 2N, Hitachi Energy, Rockwell (3) and Siemens (12). They also published a medical device security advisory for products from Baxter. Finally, they updated an advisory for products from Elvaco.

Control System Advisories

2N Advisory - This advisory describes three vulnerabilities in the 2N Access Commander IP access control system.

Rockwell Advisory #1 - This advisory describes an improper validation of specified quantity in input in the Rockwell Arena Input Analyzer.

Rockwell Advisory #2 - This advisory describes three vulnerabilities in the Rockwell FactoryTalk Updater.

Rockwell Advisory #3 - This advisory discusses a prototype pollution vulnerability in the Rockwell Verve Asset Manager.

Mendix Advisory - This advisory describes a race condition vulnerability in the Siemens Mendix Runtime.

SIMATIC CP Advisory - This advisory describes an incorrect authorization vulnerability in the Siemens SIMATIC CP1543-1.

TeleControl Server Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Siemens TeleControl Server.

Spectrum Power Advisory - This advisory describes an incorrect privilege assignment vulnerability in the Siemens Spectrum Power 7 product.

SINEC INS Advisory - This advisory discusses 59 vulnerabilities in the Siemens SINEC Infrastructure Network Services (INS) product.

Engineering Platforms Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Siemens Engineering Platforms.

SCALANCE Advisory - This advisory discusses 16 vulnerabilities in the Siemens SCALANCE M-800 Family.

SOLID Edge Advisory - This advisory describes three vulnerabilities in the Siemens Solid Edge SE2024.

SINEC NMS Advisory - This advisory discusses 17 vulnerabilities in the SINEC Network Management System (NMS) product.

OZW672 and OZW772 Web Server Advisory - This advisory describes a cross-site scripting vulnerability in the Siemens OZW672 and OZW772 web servers.

SIPORT Advisory - This advisory describes an incorrect permission vulnerability in the Siemens SIPORT product.

RUGGEDCOM Crossbow Advisory - This advisory discusses two vulnerabilities (both with publicly available exploit code) in the Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC).

Medical Device Advisory

Baxter Advisory - This advisory describes nine vulnerabilities (one with publicly available exploit code) in the Baxter Life2000 Ventilation System.

Update

Elvaco Update - This update provides additional information on the M-Bus Metering Gateway advisory that was originally published on October 17^th, 2024.

 

For more information on these advisories, including links to 3^rd party advisories, researcher reports and exploits, as well as a brief summary of the changes in the update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/18-advisories-and-1-update-published - subscription required. 

Review – 2 Advisories and 2 Updates Published – 9-5-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Hughes, and a medical device security advisory for products from Baxter. They also updated two advisories for products from Mitsubishi.

Advisories

Hughes Advisory - This advisory describes two vulnerabilities in the Hughes WL3000 Fusion Software.

Baxter Advisory - This advisory describes two vulnerabilities in the Baxter Connex Health Portal.

Updates

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on October 29^th, 2020, and most recently updated on December 19^th, 2023.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on December 22^nd, 2022, and most recently updated on July 9^th, 2024.

 

For more information on these advisories, including brief summaries of changes made in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-2-updates-published-371 - subscription required.

Review – 6 Advisories and 1 Update Published – 5-30-24

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Westermo, Inosoft, Fuji Electric, and Carrier. They also updated an advisory for products from Mitsubishi Electric. Finally, they published two medical devices security advisories for products from Baxter.

NIST published a brief update on the status of the problems with the National Vulnerability Database (NVD).

Advisories

Westermo Advisory - This advisory describes two vulnerabilities in the Westermo EDW-100 Serial to Ethernet converter.

Inosoft Advisory - This advisory describes an incorrect default permissions vulnerability with known exploit in the Inosoft VisiWin HMI.

Fuji Advisory - This advisory describes two vulnerabilities in the Fuji Monitouch V-SFT screen configuration software.

Carrier Advisory - This advisory describes three vulnerabilities in the Carrier LenelS2 NetBox access control and event monitoring system.

Baxter Advisory #1 - This advisory describes a use of default cryptographic key vulnerability in the Baxter Welch Allyn Connex Spot Monitor.

Baxter Advisory #2 - This advisory describes an insufficiently protected credentials vulnerability in the Baxter Welch Allyn Configuration Tool.

Updates

Mitsubishi Update - This advisory provides additional information on the MELSEC iQ-R advisory that was originally published on December 22^nd, 2022 and most recently updated on December 12^th, 2023.

NVD Update

NVD Database Problem Update - Yesterday NIST updated the status of the problem with NVD maintenance issues.

For more information no these advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-fa6 - subscription required.

Review – 2 Advisories and 4 Updates Published – 9-29-22

Today CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi Energy. They also updated four advisories for products from Baxter, ARC, and Delta Electronics (2).

Hitachi Energy Advisory # 1 - This advisory describes five vulnerabilities in the Hitachi Energy MicroSCADA Pro/X SYS600. The vulnerabilities are self-reported.

NOTE: I briefly discussed these vulnerabilities on September 10^th, 2022.

Hitachi Energy Advisory #2 - This advisory describes a reliance on uncontrolled component vulnerability in the MicroSCADA Pro/X SYS600.

NOTE: I briefly discussed these vulnerabilities on September 10^th, 2022.

Baxter Update - This update provides additional information on an advisory that was originally published on September 8^th, 2022.

ARC Update - This update provides additional information on an advisory that was originally published on August 23, 2022.

NOTE: I briefly discussed these changes in the PcVue update.

Delta Update #1 - This update provides additional information on an advisory that was originally published on September 1^st, 2022.

Delta Update #2 - This update provides additional information on an advisory that was originally published on July 1^st, 2021 and most recently updated on July 27^th, 2021 (not 2022).

 

For more details about these advisories, including links to third-party advisories and a brief description of changes made in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-4-updates-published-0a1 - subscription required.

Review – 2 Advisories and 2 Updates Published – 9-8-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from MZ Automation and a medical device security advisory for products from Baxter. They also updated advisories for products from PTC and Hillrom.

MZ Advisory - This advisory describes four vulnerabilities in the MZ Automation libIEC61850, a library for IEC 61850 implementation.

NOTE: Since this is a library product, the vulnerabilities are only exploitable in a product in which the library is used. So, we can expect to see this show up as third-party vulnerabilities in products from other vendors.

Baxter Advisory - This advisory discusses four vulnerabilities (with proof-of-concept code available) in the Sigma and Baxter Spectrum Infusion Pumps. The Baxter advisory notes that the vulnerabilities only affect the Spectrum Wireless Battery Module (WBM) that may be used by the infusion pumps.

PTC Update - This update provides new information on an advisory that was originally published on August 30^th, 2022.

Hillrom Update - This update provides new information on an advisory that was originally published on June 1^st, 2021 and most recently updated on December 14^th, 2021.

NOTE: The Hillrom advisory is nearly a duplicate of the CISA advisory (including the questionable use of the CISA seal), but it specifically mentions the December 14^th, 2021 update where the CISA advisory does not directly. I also like their use of the ‘Unclassified’ document marking.

 

For more details about these advisories and updates, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-2-updates-published - subscription required.

Review – 14 Updates Published – 8-11-22

Yesterday, CISA’s NCCIC-ICS published one medical device security update for products from Baxter and 13 control system security updates from Siemens. Siemens published 24 additional updates this week and Schneider published four advisories and seven updates. I will be covering those this weekend.

Baxter Update - This update provides additional information on an advisory that originally reported on June 18^th, 2020 and most recently updated on June 23^rd, 2020.

SRCS VPN Update - This update provides additional information on an advisory that was originally published on July 14^th, 2022.

Simcenter Update - This update provides additional information on an advisory that was originally published on July 14^th, 2022.

RUGGEDCOM Update - This update provides additional information on an advisory that was was originally published on July 14^th, 2022.

Industrial Products Update #1 - This update provides additional information on an advisory that was originally published on May 12^th, 2022 and most recently updated on July 14^th, 2022.

Industrial Products Update #2 - This update provides additional information on an advisory that was originally published on April 9th, 2019 and most recently updated on April 14^th, 2022.

Industrial Products Update #3 - This update provides additional information on an advisory that was originally published on July 11^th, 2021 and most recently updated on June 16^th, 2022.

Industrial Products Update #4 - This update provides additional information on an advisory that was originally published on August 10^th, 2021 and most recently updated on July 14^th, 2022.

Teamcenter Update #1 - This update provides additional information on an advisory that was originally published on May 12^th, 2022 and most recently updated on June 16^th, 2022.

Teamcenter Update #2 - This update provides additional information on an advisory that was originally published on June 16^th, 2022.

TIA Portal Update - This update provides additional information on an advisory that was originally published on January 14^th, 2020 and most recently updated on June 16^th, 2022.

Datalogics Update - This update provides additional information on an advisory that was originally published on July 14^th, 2022.

Linux Products Update - This update provides additional information on an advisory that was originally published on May 11^th, 2021 and most recently updated on June 16^th, 2022.

SIMATIC Update - This update provides additional information on an advisory that was was originally published on July 14^th, 2022.

 

For more details on these updates, including summary of changes made, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-updates-published-8-11-22 - subscription required.

Review – Public ICS Disclosures – Week of 3-19-22

This week we have fourteen vendor disclosures from Baxter, Bosch, Endress+Hauser, HP (2), Moxa, Philips, Phoenix Contact (2), SonicWall, Splunk, VMware, and Western Digital (2). We also have five vendor updates from HP (2), Mitsubishi, Spacelabs, and Yokogawa. Finally, we have two researcher reports for vulnerabilities in products from Integrated Control Technology (2).

Baxter Advisory - Baxter published an advisory discussing the Access:7 vulnerabilities.

Bosch Advisory - Bosch published an advisory discussing an improper restriction of XML external entity reference vulnerability in their Fire Monitoring System products.

Endress+Hauser Advisory - CERT VDE published an advisory discussing an out-of-bounds write vulnerability in a number of Endress+Hauser products.

HP Advisory #1 - HP published an advisory discussing a denial-of-service/RCE vulnerability in a number of their corporate printer products.

HP Advisory #2 - HP published an advisory describing a buffer overflow vulnerability in a number of their corporate printer products.

Moxa Advisory - Moxa published an advisory discussing a default password vulnerability in unnamed products.

Philips Advisory - Philips published an advisory discussing a Windows® IKE Extension vulnerability.

Phoenix Contact Advisory #1 - Phoenix Contact published an advisory discussing two vulnerabilities with publicly available exploits in their PLCnext Technology Toolchain and FL Network Manager products.

Phoenix Contact Advisory #2 - Phoenix Contact published an advisory discussing fifteen vulnerabilities with publicly available exploits in their PROFINET software development kit (SDK).

SonicWall Advisory - SonicWall published an advisory describing a stack-based buffer overflow vulnerability in their SonicOS.

Splunk Advisory - Splunk published an advisory describing an out-of-bounds read vulnerability in their Enterprise products.

Commentary – It seems like Claroty is going to continue to look at vulnerabilities in the cybertools used by security researchers. Their first report in this area was on vulnerabilities in Wireshark products though they did not publicly report on those vulnerabilities. It seems that the folks developing security tools are subject to the same software development problems that researchers find in industrial control systems.

VMware Advisory - VMware published an advisory describing two vulnerabilities in their Carbon Black App Control.

Western Digital Advisory #1 - Western Digital published an advisory discussing an out-of-bounds read/write vulnerability with publicly available exploits in their My Cloud OS 5 devices.

Western Digital Advisory #2 - Western Digital published an advisory discussing seven vulnerabilities (including 1 publicly available exploit) in their My Cloud products.

HP Update #1 - HP published an update for their UEFI firmware advisory that was originally published on February 2^nd, 2022.

HP Update #2 - HP published an update for the PC BIOS advisory that was originally published on March 8^th, 2022.

Mitsubishi Update - Mitsubishi published an update for their FragAttacks advisory that was originally published on September 2^nd, 2021.

Spacelabs Update - Spacelabs published an update for their Access:7 advisory that was originally published on March 15^th, 2021.

Yokogawa Update - Yokogawa published an update for their license function advisory that was originally published on January 14^th, 2022.

ICT Reports - Zero Science published two reports about vulnerabilities (with publicly available exploits) in the ICT Protege GX integrated access control, intrusion detection and building automation solution.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-db0 - subscription required.

Review - Public ICS Disclosures – Week of 8-28-21

This week we have sixteen vendor disclosures from ABB, Aruba Networks, Baxter, WAGO (3), Hitachi ABB Power Grids, Hewlett Packard Enterprise, Mitsubishi (2), Moxa (2), OPC Foundation, Philips, and QNAP (2). We also have three vendor updates from CODESYS. There are also 20 researcher reports for products from Fuji Electric. Finally, we have an exploit for products from Geutebruck.

ABB Advisory - ABB published an advisory describing a remote code execution vulnerability in their Base Software for SoftControl product.

Aruba Advisory - Aruba published an advisory describing 15 vulnerabilities in their ArubaOS product.

Baxter Advisory - Baxter published an advisory discussing the PrintNightmare vulnerability.

WAGO Advisory #1 - CERT VDE published an advisory describing an improper authentication and access control vulnerability in the WAGO 750-36X and WAGO 750-8XX products.

WAGO Advisory #2 - CERT VDE published an advisory discussing two out-of-bounds read vulnerabilities in the e!COCKPIT and WAGO-I/O-Pro products.

WAGO Advisory #3 - CERT VDE published an advisory describing a missing release of resources after effective lifetime vulnerability in WAGO PLCs.

Hitachi ABB Advisory - Hitachi ABB published an advisory describing a clear-text storage of sensitive information vulnerability in their System Data Manager – SDM600 products.

HPE Advisory - HPE published an advisory discussing two vulnerabilities in the SGI UV 300/3000 and HPE Integrity MC990 X Servers.

Mitsubishi Advisory #1 - Mitsubishi published an advisory discussing the FragAttacks WiFi vulnerabilities.

Mitsubishi Advisory #2 - Mitsubishi published an advisory discussing the BadAlloc vulnerabilities (Amazon FreeRTOS is the specific product involved here).

Moxa Advisory #1 - Moxa published an advisory describing 59 vulnerabilities in their TAP-323, WAC-1001, and WAC-2004 Series Wireless AP/Bridge/Client.

Moxa Advisory #2 - Moxa published an advisory describing 59 vulnerabilities in their OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router.

OPC Foundation - OPC Foundation published an advisory describing an access of memory location after end-of-buffer vulnerability in their Local Discovery Server.

Philips Advisory - Philips published an advisory discussing the HiveNightmare vulnerability.

QNAP Advisory #1 - QNAP published an advisory describing two vulnerabilities in their QNAP NAS running HBS 3.

QNAP Advisory #2 - QNAP published an advisory describing an out-of-bounds read vulnerability in their QNAP NAS running QTS, QuTS hero, and QuTScloud.

CODESYS Update #1 - CODESYS published an update for their V3 web server advisory that was originally published on May 19^th, 2021 and most recently updated on July 22^nd, 2021.

CODESYS Update #2 - CODESYS published an update for their V3 web server that was that was originally published on July 15^th, 2021.

CODESYS Update #3 - CODESYS published an update for their Gateway V3 advisory that was originally published on July 15^th, 2021.

Fuji Electric Reports - The Zero Day Initiative published 20 reports describing 0-day vulnerabilities in the Fuji Tellus Lite V-Simulator.

Geutebruck Exploit - Titouan Lazard, Sebastien Charbonnier, and Ibrahim Ayadhi published a Metasploit module for eight previously reported vulnerabilities in the Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices.

 

For more details on the advisories and reports, including links to third-party reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8 - subscription required.

12 Updates Published – 7-14-20

Yesterday CISA NCCIC-ICS published 11 control system security updates for products from Siemens (10) and Treck. They also published a medical device security update for products from Baxter.

PROFINET Update #1

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and most recently updated on October 8^th, 2019. The new information includes adding SIMATIC TDC CP51M1 and CPU555 to the list of affected products.

Industrial Products Update #1

This update provides additional information on an advisory that was originally published on December 5^th, 2017 and most recently updated on October 8^th, 2019. The new information includes adding SIMATIC TDC CP51M1 and CPU555 to the list of affected products.

SCALANCE Update

This update provides additional information on an advisory that was originally published on August 15^th, 2019. The new information includes adding mitigation links and updating affected version data for  SCALANCE XB-200, XC-200, XP-200,XF-200BA and XR-300WG.

PROFINET Update #2

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on March 14^th, 2020. The new information includes adding  SIMATIC TDC CP51M1 and CPU555 to the list of affected products.

S7-1200 Update

This update provides additional information on an advisory that was originally published on November 14^th 2019 and most recently updated on December 10^th, 2019. The new information includes mitigation links and updated version information for SIMATIC S7-1200 and SIMATIC S7-200 SMART.

SIMATIC Update #1

This update provides additional information on an advisory that was originally published on February 11^th, 2020 and most recently updated on May 12^th, 2020. The new information includes mitigation links and updated version information for SIMATIC PCS 7 V9.0.

Industrial Products Update #2

This update provides additional information on an advisory that was originally published on February 11^th, 2020. The new information includes mitigation links and updated version information for IE/PB LINK PN IO.

SIMATIC Update #2

This update provides additional information on an advisory that was originally published on March 10^th, 2020. The new information includes:

• Adding SIMATIC TDC CP51M1 and SIMATIC TDC CPU555 to the list of affected products, and

• Adding mitigation links and updated affected version information for SINUMERIK 840D sl.

SIMATIC Update #3

This update provides additional information on an advisory that was originally published on July 9^th, 2020. The new information includes mitigation links and updated version information for SIMATIC PCS 7 V9.0.

SIMATIC Update #4

This update provides additional information on an advisory that was originally published on July 9^th, 2020. The new information includes mitigation links and updated version information for:

• SIMATIC STEP 7 V13,

• SIMATIC STEP 7 V16,

• SIMATIC WinCC Runtime Professional V13,

• SIMATIC WinCC Runtime Professional V16, and

• SIMATIC WinCC Runtime Advanced

Treck Update

This update provides additional information on an advisory that was was originally published on June 16^th, 2020 and most recently updated on July 7^th, 2020. The new information includes links to vendor advisories from DIGI International and Meile.

NOTE 1: I briefly mentioned the Meile advisory last Saturday.

NOTE 2: NCCIC-ICS missed the Siemens' Treck related advisory, more on that this weekend.

Baxter Update

This update provides additional information on an advisory that was was originally reported on June 18^th, 2020 and most recently updated on June 23^rd, 2020. The new information includes additional mitigation information for one version of Prismaflex.

Other Siemens Updates

There were two additional updated advisories published yesterday by Siemens that were not addressed by NCCIC-ICS. I will look at those on Saturday.

3 Advisories and 5 Updates Published – 6-23-20

Yesterday the CISA NCCIC-ICS published three control system security advisories for products from ABB, Honeywell and Mitsubishi Electric. They updated five medical device security advisories for products from BD and Baxter (4).

ABB Advisory

This advisory describes an insecure storage of sensitive information vulnerability in the ABB Device Library Wizard. The vulnerability was reported by William Knowles of Applied Risk. ABB has new versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to  allow a low-level user to escalate privileges and fully compromise the device.

Honeywell Advisory

This advisory describes two cleartext transmission of sensitive information vulnerabilities in the Honeywell ControlEdge PLC and RTU. The vulnerabilities were reported by Nikolay Sklyarenko of Kaspersky. Honeywell provides a document (login required) describing the mitigation measures for these vulnerabilities. There is no indication that Sklyarenko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain passwords and session tokens.

Mitsubishi Advisory

This advisory describes a cleartext transmission of sensitive information vulnerability in the Mitsubishi MELSEC CPU modules. The vulnerability was reported by Shunkai Zhu, Rongkuan Ma and Peng Cheng from NESC Lab. Mitsubishi provides generic mitigation measure.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow information disclosure, information tampering, unauthorized operation, or a denial-of-service condition.

NOTE: NCCIC-ICS did not publish the link to the Mitsubishi advisory.

BD Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the BD advisory.

Sigma Spectrum Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

Phoenix Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

PrismaFlex Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisories (PrismaFlex and PrisMax).

ExactaMix Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

11 Advisories and 1 Update Published – 6-18-20

Today the CISA NCCIC-ICS published five control system security advisories for products from Rockwell Automation (2), ICONICS, Mitsubishi Electric, and Johnson Controls; and six medical device security advisories for products from BD, BIOTRONIC and Baxter (6). They also updated the Treck TCP/IP advisory that was published earlier this week.

FactoryTalk View SE Advisory

This advisory describes four vulnerabilities in the Rockwell FactoryTalk View SE. The vulnerabilities were reported by the Zero Day Initiative. Rockwell has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper input validation - CVE-2020-12029,

• Improper restriction of operations within a memory buffer - CVE-2020-12031,

• Permissions, privileges, and access control - CVE-2020-12028, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-12027

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote authenticated attacker to manipulate data of affected devices.

NOTE: These vulnerabilities were discovered in the Pwn-2-Own competition at this year’s S4 Security conference in Miami, Florida.

FactoryTalk Services Platform Advisory

This advisory describes an improper input validation vulnerability in the Rockwell FactoryTalk Services Platform. No vulnerability disclosure information is provided in the advisory. Rockwell provides generic mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an unauthenticated attacker to execute remote COM objects with elevated privileges.

NOTE: These vulnerabilities were discovered in the Pwn-2-Own competition at this year’s S4 Security conference in Miami, Florida.

ICONICS Advisory

This advisory describes five vulnerabilities in the ICONICS GENESIS64 and GENESIS32 products. The vulnerabilities were reported by Tobias Scharnowski, Niklas Breitfeld, Ali Abbasi, Yehuda Anikster of Claroty; Pedro Ribeiro and Radek Domanski of Flashback; Ben McBride of Oak Ridge National Laboratory; and Steven Seeley and Chris Anastasio of Incite. ICONICS has patches that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2020-12011,

• Deserialization of untrusted data (3) - CVE-2020-12015, CVE-2020-12009, and CVE-2020-12007, and

• Code injection - CVE-2020-12013

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow remote code execution or denial of service.

NOTE: ICONICS takes an unusual approach to the publication of security advisories. The two separate product advisories for this NCCIC-ICS report (GENESIS64 and GENESIS32) contains summaries of all the vulnerabilities reported to/by NCCIC-ICS (and its predecessor, ICS-CERT) since 2011. If/when new vulnerabilities are reported, they are added to the respective product vulnerability report.

Mitsubishi Advisory

This advisory describes five vulnerabilities in the Mitsubishi MC Works64 MC Works32 products. The vulnerabilities were reported by Tobias Scharnowski, Niklas Breitfeld, Ali Abbasi, Yehuda Anikster of Claroty; Pedro Ribeiro and Radek Domanski of Flashback; Ben McBride of Oak Ridge National Laboratory; and Steven Seeley and Chris Anastasio of Incite. Mitsubishi has patches that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2020-12011,

• Deserialization of untrusted data (3) - CVE-2020-12015, CVE-2020-12009, and CVE-2020-12007, and

• Code injection - CVE-2020-12013

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to allow remote code execution, a denial-of-service condition, information disclosure, or information tampering.

NOTE 1: The reporting information and CVE numbers indicate that these are the same vulnerabilities reported in the ICONICS advisory above. It is interesting to note the differing exploit information in the two advisories.

NOTE 2: Mitsubishi now has a publicly available PSIRT page.

Johnson Controls Advisory

This advisory describes an improper verification of cryptographic signature vulnerability in the Johnson Controls exacqVision product. The vulnerability was reported by Michael Norris. Johnson Controls has newer versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow the execution of operating system commands on the system. It would seem that [IMO] a social engineering attack would be required to cause a person with administrative privileges to potentially download and run a malicious executable.

BD Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the BD Alaris PCU. The vulnerability is self-reported. BD provides generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial of service (DoS) on the target system and could cause the BD Alaris PCU to disconnect from the facility’s wireless network.

NOTE: This vulnerability is one of three SACK vulnerabilities reported in the FreeBSD and Linux kernels. It would seem to me that the other two vulnerabilities might also be found in this product.

BIOTRONIK Advisory

This advisory describes five vulnerabilities in the BIOTRONIK CardioMessenger II-S T-Line and CardioMessenger II-S GSM products. The vulnerabilities were reported by Guillaume Bour, Anniken Wium Lie, and Marie Moe. BIOTRONIK has provided generic workarounds to mitigate the vulnerability.

The five reported vulnerabilities are:

• Improper authentication (2) - CVE-2019-18246 and CVE-2019-18252,

• Cleartext transmission of sensitive information - CVE-2019-18248,

• Missing encryption of sensitive data - CVE-2019-18254, and

• Storing passwords in an accessible format - CVE-2019-18256

NCCIC-ICS reports that a relatively low-skilled attacker with physical access to the device could exploit the vulnerabilities to obtain sensitive data, obtain transmitted medical data from implanted cardiac devices with the implant’s serial number or impact Cardio Messenger II product functionality. The same attacker with adjacent access could exploit the vulnerabilities to allow an attacker with adjacent access to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network.

NOTE: See this TWITTER thread by Marie Moe about this advisory.

Sigma Spectrum Infusion Pump Advisory

This advisory describes six vulnerabilities in the Baxter Sigma Spectrum Infusion systems. The vulnerabilities are self-reported. Baxter provided generic workarounds to mitigate the vulnerabilities.

The six reported vulnerabilities are:

• Use of hard-coded passwords (3) - CVE-2020-12039, CVE-2020-12045 and CVE-2020-12047,

• Cleartext transmission of sensitive data - CVE-2020-12040,

• Incorrect permission assignment for critical resource - CVE-2020-12041, and

• Operation on a resource after expiration or release - CVE-2020-12043

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow access to sensitive data, alteration of system configuration, and impact to system availability.

NOTE: NCCIC-ICS did not provide a link to the related Baxter advisory.

Phoenix Hemodialysis Advisory

This advisory describes a cleartext transmission of sensitive information vulnerability in the Baxter Phoenix Hemodialysis Delivery System. This vulnerability is self-reported. Baxter provides generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to view sensitive data.

NOTE: NCCIC-ICS did not provide a link to the related Baxter advisory.

PrismaFlex Advisory

This advisory describes three vulnerabilities in the Baxter PrismaFlex and PrisMax medical systems. The vulnerabilities are self-reported. Baxter has new versions that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2020-12036;

• Improper authentication - CVE-2020-12035, and

• Use of hard-coded passwords - CVE-2020-12037

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to view and alter sensitive data.

NOTE: NCCIC-ICS did not provide a link to the related Baxter advisory.

ExactaMix Advisory

This advisory describes seven vulnerabilities in the Baxter Baxter ExactaMix systems. The vulnerabilities are self-reported. Baxter has new versions that mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• Use of hard-coded password (2) - CVE-2020-12016 and CVE-2020-12012,

• Cleartext transmission of sensitive information - CVE-2020-12008,

• Missing encryption of sensitive data - CVE-2020-12032,

• Improper access control - CVE-2020-12024,

• Exposure of resource to wrong sphere - CVE-2020-12020, and

• Improper input validation - CVE-2017-0143

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow unauthorized access to sensitive data, alteration of system configuration, alteration of system resources, and impact to system availability.

NOTE: NCCIC-ICS did not provide a link to the related Baxter advisory.

Treck Update

This update provides additional information on an advisory that was originally published on June 16^th, 2020. The new information is a link to the Baxter advisory on the issue.

ICS-CERT Publishes Siemens Update and Three New Advisories

Today the DHS ICS-CERT published a fifth update to a Siemens advisory originally published in April and most recently updated earlier in September. New advisories were also printed for control system products from Baxter, Mitsubishi and Honeywell.

Siemens Update

This update reports that Siemens has produced a new version of SIMATIC S7 V8.0 SP2 that mitigates the vulnerability. The updated Siemens security advisory explains that user will actually be using the update for SIMATIC WinCC V7.2 Upd11 to update the SIMATIC S7 V8.0 SP2.

Note: There is a minor typo on the ICS-CERT updated advisory. Before the red marked update there is an ‘extra’ listing for SIMATIC S7 V8.0 SP2 with an incorrect link.

Baxter Advisory

This advisory describes four vulnerabilities in the Baxter SIGMA Spectrum Infusion System. The vulnerabilities were reported by Jared Bird with Allina IS Security. Baxter has produced a new hardware and software versions which remove three of the four vulnerabilities. There is no indication that Bird has been provided the opportunity to verify the efficacy of the fix. This advisory was originally released to the US-CERT Secure Portal on June 30^th, 2015.

The four identified vulnerabilities are:

• Use of hardcoded password, CVE-2014-5431 and CVE-2014-5434;

• Authentication bypass issues, CVE-2014-5432; and

• Cleartext storage of sensitive information, CVE-2014-543;

The uncorrected vulnerability is the hardcoded password that can only be accessed manually. The three other vulnerabilities are remotely exploitable by a relatively unskilled attacker.

There is no indication in this advisory that the FDA has been contacted, or if it has been contacted that it has issued an advisory on this device.

Mitsubishi Advisory

This advisory describes a denial-of-service vulnerability in the Mitsubishi MELSEC FX-series PLCs. The vulnerability was reported by Ralf Spenneberg of OpenSource Security. A new version of the PLC’s has been developed that does not have this vulnerability. There is no indication that Spennenberg has been provided an opportunity to verify the efficacy of the fix. This vulnerability was released on the US-CERT Secure Portal on May 26^th, 2015.

ICS-CERT reports that moderately skilled attacker could remotely exploit this vulnerability to execute a DOS attack that would require re-booting of the PLC to recover.

ICS-CERT reports that older versions of the PLC (produced before April 2015) have not been fixed because Mitsubishi “cannot guarantee the quality of new firmware in old hardware”.

Honeywell Advisory

This advisory describes a directory traversal vulnerability in the Honeywell Experion PKS application. The vulnerability was reported by Joel Langill. Honeywell has patches for newer versions of Experion PKS that apparently (poor wording in the advisory) mitigate the vulnerability. There is no indication that Joel has been provided the opportunity to verify the efficacy of the patches.

ICS-CERT reports that a relatively low skilled could use publicly available exploits to remotely exploit this vulnerability to gain access to the host’s root directory.

ICS-CERT has assigned a 2007 CVE # to this vulnerability (CVE-2007-6483) that links to a similar directory traversal vulnerability in the Sentinel Protection Server. The BUGTRAQ report on that earlier vulnerability may be the source of the ‘publicly available exploit’.

NOTE: There is a typo in the Vulnerability Details portion of the advisory. Under ‘Existence of Exploit’ is lists: “An attacker with a low skill would be able to exploit this vulnerability.” The availability of a public exploit was reported earlier in the advisory.