Review – Public ICS Disclosures – Week of 9-17-22

This week we have seventeen vendor disclosures from Bosch, Festo, HPE (3), Insyde (7), PcVue (2), Rockwell, Tanzu, and Western Digital. We also have an update from PcVue.

Bosch Advisory - Bosch published an advisory that describes an information disclosure vulnerability in their VIDEOJET Decoder VJD-7513.

Festo Advisory - CERT-VDE published an advisory that describes an improper privilege management vulnerability in the Festo Festo control block CPX-CEC-C1 and CPX-CMXX.

HPE Advisory #1 - HPE published an advisory that discusses an information disclosure vulnerability in their Edgeline Servers.

HPE Advisory #2 - HPE published an advisory that discusses a privilege escalation vulnerability in their Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses 28 vulnerabilities in their SAN switches.

Insyde Advisory #1 - Insyde published an advisory that describes an SMM arbitrary code execution vulnerability in their InsydeH2O product.

Insyde Advisory #2 - Insyde published an advisory that describes a memory leak vulnerability in their InsydeH2O product.

Insyde Advisory #3 - Insyde published an advisory that describes an arbitrary code execution vulnerability in their InsydeH2O product.

Insyde Advisory #4 - Insyde published an advisory that describes a memory corruption vulnerability in their InsydeH2O product.

Insyde Advisory #5 - Insyde published an advisory that that describes a memory corruption vulnerability in their InsydeH2O product.

Insyde Advisory #6 - Insyde published an advisory that describes a memory leak vulnerability in their InsydeH2O product.

Insyde Advisory #7 - Insyde published an advisory that describes a memory corruption vulnerability in their InsydeH2O product.

PcVue Advisory #1 - PcVue published an advisory that describes a sensitive information in log file vulnerability in their PcVue 15 product.

PcVue Advisory #2 - PcVue published an advisory that discusses an access of uninitialized pointer vulnerability in their PcVue product.

Rockwell Advisory - Rockwell published an advisory that describes a heap-based buffer overflow vulnerability in their ThinManager ThinServer software.

Tanzu Advisory - Tanzu published an advisory that describes an information disclosure vulnerability in their Spring Data REST product.

Western Digital Advisory - Western Digital published an advisory that describes a use of weak hash vulnerability in their WD Discovery products.

PcVue Update - PcVue published an update for their OAuth configuration advisory that was originally published on August 8^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-235-01) to reflect this new information.

 

For more details on these disclosures, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/post/74741456 - subscription required.

Review - Public ICS Disclosures – Week of 1-29-22 – Part 1

 This has been a very busy week for control system vulnerabilities and it is going to require a two-part post to address all of the information. This week we have 14 vendor disclosures from ABB (3), Aruba (3), Sante, Sealevel, WAGO, Emerson, FANUC, Honeywell (2), Philips, and Rockwell.

ABB Advisory #1 - ABB published an advisory describing three vulnerabilities in their SPIET800 INFI-Net to Ethernet Transfer and PNI800 S+ Ethernet communication interface modules.

ABB Advisory # 2 - ABB published an advisory describing an improper input validation vulnerability in their System 800xA, Symphony® Plus IEC 61850 communication stack.

ABB Advisory #3 - ABB published an advisory describing a remote code execution vulnerability in their OPC Server for AC 800M products.

Aruba Advisory #1 - Aruba published an advisory discussing 15 vulnerabilities in their ArubaOS-CX 8000 Series Switches.

Aruba Advisory #2 - Aruba published an advisory discussing 15 vulnerabilities in their 9000 Series Gateways.

Aruba Advisory #3 - Aruba published an advisory discussing the PwnKit vulnerability in multiple product lines.

Sante Advisory - INCIBE-CERT published an advisory describing seven vulnerabilities in the Sante DICOM Viewer Pro.

Sealevel Advisory - INCIBE-CERT published an advisory describing twelve vulnerabilities in the Sealevel SeaConnect 370W Wi-Fi edge device.

WAGO Advisory - CERT-VDE published an advisory discussing a link following vulnerability in the WAGO e!COCKPIT and WAGO-I/O-Pro.

Emerson Advisory - Emerson published an advisory describing a credential disclosure vulnerability in multiple products. The vulnerability was reported by Dragos.

FANUC Advisory - FANUC published a notice reporting that none of their products are affected by the Log4Shell vulnerability.

Honeywell Advisory #1 - Honeywell published an advisory describing a command injection vulnerability in their IP PTZ Camera HDZP252DI.

Honeywell Advisory #2 - Honeywell published an advisory describing a video replay vulnerability in their IP Camera HBW2PER1.

Philips Advisory - Philips published an advisory discussing the PwnKit vulnerability.

Rockwell Advisory - Rockwell published a notice discussing a problem with the latest Microsoft® DCOM Hardening patch.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-cfc - subscription required. 

Review - Public ICS Disclosures – Week of 9-25-21

 This week we have seven vendor disclosures from BD, Dell, Festo, Draeger (2), Philips, and Siemens.

BD Advisory - BD published an advisory discussing three vulnerabilities in their HealthSight, Knowledge, Pyxis, Kiestra, and Alaris products.

Dell Advisory - Dell published an advisory discussing two vulnerabilities in their Wyse ThinOS product.

Festo Advisory - CERT-VDE published an advisory discussing four vulnerabilities in the Festo SBRD-Q, SBOC-Q, and SBOI-Q video system products.

Draeger Advisory #1 - Draeger published an advisory describing a privilege escalation vulnerability in their Protector Software.

Draeger Advisory #2 - Draeger published an advisory discussing the BadAlloc (WindRiver version) vulnerabilities.

Philips Advisory - Philips published an advisory discussing the most recent VMware advisory.

Siemens Advisory - Siemens published an advisory describing ten vulnerabilities in their Solid Edge products.

For more details about these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-240 - subscription required.

 

Review - Public ICS Disclosure – 8-13-21 – Part 1

This week we have two INFRA:HALT disclosures from Pilz and Rockwell  We have seven other vendor disclosures from Aveva, TRUMPF Laser, Moxa, Philips, Pilz, Sick, and SonicWall. We also have an update from VMware. We also have 12 researcher reports affecting products from Siemens and Delta Industrial Automation (10).

 

I will address the Siemens and Schneider advisories and updates in Part 2 tomorrow.

 

INFRA:HALT Advisories

 

Pilz published an advisory discussing the INFRA:HALT vulnerabilities.

Rockwell published an advisory discussing the INFRA:HALT vulnerabilities.

 

Other Advisories

 

Aveva Advisory - Aveva published an advisory describing three vulnerabilities in their SuiteLink Server.

HPE Advisory - HPE published an advisory describing an information disclosure vulnerability in their Edgeline Infrastructure Manager product.

TRUMPF Advisory - CERT-VDE published an advisory discussing eleven vulnerabilities in the TRUMPF TruControl and Peripheral Bus products.

Moxa Advisory - Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDS-405A Series Ethernet Switches.

Philips Advisory - Philips published an advisory discussing a Windows® print spooler elevation of privilege vulnerability  (CVE-2021-34481).

Sick Advisory - Sick published an advisory discussing the 2017 Windows® SMBv1vulnerability in their MEAC product.

SonicWall Advisory - SonicWall published an advisory describing a remote code execution vulnerability in their Analytics On-Prem product.

VMware Update - VMware published an update for their Workspace ONE Access advisory that was originally published on August 5^th, 2021.

 

Researcher Reports

 

Siemens Report - Adepts of 0xCC published a report describing the development of an exploit for the memory corruption vulnerability (CVE-2020-9273) in ProFTPD 1.3.7

Delta Report - The Zero Day Initiative published tenreports of 0-day vulnerabilities in the Delta DOPSoft product.

 

For more details on these advisories and reports, including links to exploits and third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-8-13-21-part - subscription required.

Public ICS Disclosures – Week of 3-6-21

This week we have seven disclosures from Aruba Networks (2), Boston Scientific, PEPPERL+FUCHS, Siemens, and Schneider (2). We have vendor updates for products from Siemens (2) and Schneider (2). There is a researcher report for products from Fatek Automation. Finally, there was an exploit published for products from VMware.

Aruba Advisories

Aruba published an advisory discussing the SAD DNS vulnerability in their Instant Access Points products. Aruba has new versions that mitigate the vulnerability.

 

Aruba published an advisory describing nineteen vulnerabilities in their Instant Access Points products. Aruba has new versions that mitigate the vulnerabilities.

The 19 reported vulnerabilities are:

• Buffer overflow (3) - CVE-2019-5319, CVE-2021-25144, and CVE-2021-25149,

• Authenticated arbitrary remote command injection - CVE-2021-25150,

• Authenticated arbitrary file write - CVE-2021-25148,

• Unauthenticated command injection via DHCP options - CVE-2020-24636,

• Unauthenticated denial of service via PAPI protocol -CVE-2021-25143,

• Unauthenticated command injection via Web UI - CVE-2021-25162,

• Authenticated arbitrary file write via Web UI (2) - CVE-2021-25155, and CVE-2021-25159,

• Authenticated remote command execution (2) - CVE-2020-24635, and CVE-2021-25146,

• Authentication bypass - CVE-2019-5317 (Jenkins third-party),

• Authenticated reflected cross-site scripting - CVE-2021-25161,

• Unauthenticated arbitrary file read via race condition - CVE-2021-25158,

• Authenticated arbitrary directory create via Web UI - CVE-2021-25156,

• Authenticated arbitrary file read via Web UI - CVE-2021-25157,

• Authenticated arbitrary file write via Web UI to specific backup site - CVE-2021-25160, and

• Remote unauthorized disclosure of information - CVE-2021-25145,

Boston Scientific

Boston Scientific published an advisory discussing the Microsoft TCP/IP vulnerabilities. They report that they are looking into the impact on their products “that use the affected Microsoft Window 7 and higher operating systems”.

PEPPRERL+FUCHS Advisory

CERT-VDE published an advisory describing three vulnerabilities in the PEPPERL+FUCHS P+F RocketLinx products. The vulnerabilities were reported by T. Weber of SEC Consult Vulnerability Lab.  PEPPERL+FUCHS has new firmware versions that mitigate the vulnerabilities. There is no indication that Weber was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site request forgery - CVE-2020-12502,

• Improper input validation - CVE-2020-12503, and

• Hidden functionality - CVE-2020-12504

Siemens Advisory

Siemens published an advisory describing an improper access control vulnerability in their Mendix Forgot Password Appstore module. Siemens has a new version that mitigates the vulnerability.

Schneider Advisories

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their PowerLogic power meters. The vulnerability was reported by Tal Keren and Rei Henigman of Claroty. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their PowerLogic power meters. The vulnerability was reported by Tal Keren and Rei Henigman of Claroty. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: The Claroty report explains the reason for the separate reports for these very similar vulnerabilities. They note that the different product sets are affected differently resulting in very different CVSS v3.0 Base Scores.

Siemens Updates

Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on February 9^th, 2021. The new information includes adding the following CVEs:

• CVE-2020-8625,

• CVE-2021-3347,

• CVE-2021-20193,

• CVE-2021-23839,

• CVE2021-23840,

• CVE-2021-23841, and

• CVE-2021-27212

 

Siemens published an update for their CodeMeter advisory that was originally published in 2018 and most recently updated on February 9^th, 2021. The new information includes updating mitigation measures for:

• SINEC INS, and

• SINEMA Remote Connect

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on January 12^th, 2021. The new information includes:

• Adding mitigation measures for EcoStruxure Building SmartX IP MP Controllers, and

• Updating affected version information for EcoStruxure Building SmartX IP RP Controllers

 

Schneider published an update for their PLC Simulator advisory that was originally reported on November 11^th, 2020. The new information includes announcing the development of a remediation plan for CVE2020-7559.

NOTE: NCCIC-ICS may not update ICSA-20-315-03 for this announcement.

Fatek Report

The Zero Day Initiative published a report of a 0-day improper validation of user supplied data vulnerability in the Fatek PLC WinProladder. According to the report, NCCIC-ICS was supposed to issue an advisory on this last Thursday. I would expect to see it published this coming week.

VMware Exploit

Mikhail Klyuchnikov published a Metasploit module for an improper privilege management vulnerability in the VMware vCenter Server. VMware reported the vulnerability on February 23^rd, 2021 with new versions to mitigate.

Public ICS Disclosure – Week of 2-13-21

This week we have nine vendor disclosures from Aruba Networks, PEPPERL+FUCHS (3), Dell, Moxa, Philips, QNAP, and Rockwell. There is an update from Mitsubishi. We have three researcher reports for vulnerabilities in products from Advantech (2) and Sytech. Finally, we have an exploit for a product from DDC.

Aruba Advisory

Aruba published an advisory describing eleven vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Daniel Jensen, Luke Young, Fernando Romero de la Morena, and the Microsoft Security Team. Aruba has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Cross-site scripting - CVE-2021-26678,

• Command injection (5) - CVE-2021-26681, CVE-2021-26679, CVE-2021-26680, CVE-2021-26683, and CVE-2021-26684,

• Local escalation of privilege - CVE-2021-26677,

• SQL injection (2) - CVE-2021-26685 and CVE-2021-26686,

• Reflected cross-site scripting - CVE-2021-26682, and

• Buffer Overflow - CVE-2020-7120

PEPPERL+FUCHS Advisories

CERT-VDE published an advisory describing an out-of-bounds write vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (RTA) EtherNet/IP Stack vulnerability. Generic mitigation measures were described.

 

CERT-VDE published an advisory describing a stack-based buffer overflow vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (Hilscher) PROFINET IO Device vulnerability. Generic mitigation measures were described.

 

CERT-VDE published an advisory describing a stack-based buffer overflow vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (Hilscher) EtherNet/IP stack vulnerability.

Dell Advisory

Dell published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerabilty in their EMC PowerProtect Cyber Recovery product. The vulnerability is self-reported. Dell has a new version that mitigates the vulnerability.

Moxa Advisory

Moxa published an advisory describing a heap-based buffer overflow vulnerability in multiple products. This is a third-party (SUDO) vulnerability. Exploits are publicly available. Moxa has upgrades available to mitigate the vulnerability.

Philips Advisory

Philips published an advisory describing three TCP/IP vulnerabilities in their products running on Microsoft Windows. The three CVE numbers (CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086) provided in the advisory are listed as ‘Reserved’ by cve.mitre.org so it is not clear what MS vulnerabilities are specifically being reported, but Philips is reportedly reviewing MS patches.

QNAP Advisory

QNAP published an advisory describing a stack-based overflow vulnerability in their QNAP NAS running Surveillance Station. The vulnerability was reported by an unnamed ‘independent security researcher’. QNAP has new versions that mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Rockwell Advisory

Rockwell published an advisory describing an uncontrolled search path element vulnerability in their DriveTools™ and Drives AOP products. The vulnerability was reported by Cim Stordal of Cognite and Claroty. Rockwell has new versions that mitigate the vulnerability. There are no indications that the researchers have been provided an opportunity to verify the efficacy of the fix.

Mitsubishi Update

Mitsubishi published an update for their TCP protocol stack advisory that was originally published (by NCCIC-ICS) on September 1^st, 2020. The new information includes updating affected version and/or adding mitigation measures for:

• MSZ-BT20/25/35/50VGK-E1,

• MSZ-BT20/25/35/50VGK-ET1,

• MSZ-AP25/35/42/50/60/71VGK-E2,

• MSZ-AP25/35/42/50VGK-E7,

• MSZ-AP25/35/42/50VGK-EN2,

• MSZ-AP60/71VGK-ET2,

• MSZ-EF18/22/25/35/42/50VGKW(S)(B)-E1,

• MSZ-EF22/25/35/42/50VGKW(S)(B)-ER1,

• MSZ-EF25VGKB-ET1,

• MSZ-FT25/35/50VGK-E1,

• MSZ-FT25/35/50VGK-ET1,

• MSZ-FT25/35/50VGK-SC1,

• MSZ-EF22/25/35/42/50VGKW(S)(B)-A1, and

• BAC-HD150

NOTE: I expect that NCCIC-ICS will update their advisory in the coming week.

Advantech Reports

Talos published a report describing five incorrect default permission vulnerabilities (CVE-2020-13551, CVE-2020-13552, CVE-2020-13553, CVE-2020-13554, and CVE-2020-13555) in the Advantech WebAccess/SCADA installation. The report includes proof of concept code. The vulnerabilities were disclosed to Advantech in October 2020.

 

Talos published a report describing a path traversal vulnerability in the Advantech WebAccess/SCADA installation. The report includes proof of concept code. The vulnerabilities were disclosed to Advantech in October 2020.

Sytech Report

Talos published a report describing an incorrect default permissions vulnerability in the Sytech XL Reporter. The report includes proof of concept code. The vulnerabilities were disclosed to Sytech in October 2020.

DDC Exploit

Kağan Çapar published an exploit for a buffer overflow vulnerability in the DDC dataSIMS Avionics Bus Analysis & Simulation Software Tool. There is no CVE listed and no indication of notification to DDC. This may be a 0-day exploit.

Public ICS Disclosures – Week of 10-03-20

This week we have one vendor disclosure from PEPPERL+FUCHS and one vendor update for products from 3S.

PEPPERL+FUCHS Advisory

CERT-VDE published an advisory describing five vulnerabilities in the PEPPERL+FUCHS Comtrol RocketLinx ethernet switches. The vulnerabilities were reported by T. Weber of SEC Consult Vulnerability Lab. PEPPERL+FUCHS has new firmware versions available that mitigate the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Unauthenticated device administration (2) - CVE-2020-12500 and CVE-2020-12502,

• Undocumented accounts - CVE-2020-12501,

• Multiple authenticated command injections - CVE-2020-12500, and

• Active TFTP-service - CVE-2020-12504

NOTE 1: The current version of this advisory on the CERT-VDE web page is marked as ‘Update A’, the original version was apparently published earlier in the week.

NOTE 2: SEC Consult reports that this is an OEM vulnerability which they do not name pending response to the vulnerability notification.

3S Update

3S published an update [.PDF download link] for their CodeMeter advisory that was originally published on September 16^th, 2020 and most recently updated on September 24^th, 2020. The new information includes more details about the coverage of the update for CODESYS v3.5.16.20.