Review – Public ICS Disclosures – Week of 3-5-22 – Part 1

It has been a busy week, even without the 2^nd Tuesday disclosures. This will be a three-part report. This week we have thirteen vendor disclosures from Boston Scientific, Broadcom, Carestream, WAGO, Draeger, Eaton (4), GE Gas Power, Genetec, Hitachi Energy, and Johnson Controls.

Boston Scientific Advisory - Boston Scientific published an advisory discussing the Access:7 vulnerabilities.

Broadcom Advisory - Broadcom published an advisory discussing the DirtyPipe vulnerability.

Carestream Advisory - Carestream published an advisory discussing the Access:7 vulnerabilities.

Ecava Advisory - Incibe CERT published an advisory discussing eight vulnerabilities in the Ecava IntegraXor.

WAGO Advisory - VDE CERT published an advisory describing a cross-site scripting vulnerability in various WAGO PLCs.

Draeger Advisory - Draeger published an advisory discussing the PwnKit vulnerability.

Eaton Advisory #1 - Eaton published an advisory describing a cross-site scripting vulnerability in their Intelligent Power Manager.

Eaton Advisory #2 - Eaton published an advisory describing a cross-site scripting vulnerability in their Intelligent Power Manager.

Eaton Advisory #3 - Eaton published an advisory describing a cross-site scripting vulnerability int heir Intelligent Power Manager.

Eaton Advisory #4 - Eaton published an advisory describing a cross-site scripting vulnerability int heir Intelligent Power Manager.

GE Gas Power Advisory - GE Gas Power published an advisory discussing the Russia-Ukraine situation.

Genetec Advisory - Genetec published an advisory describing a privilege escalation vulnerability in the Authentication Service role in their Security Center product.

Hitachi Energy Advisory - Hitachi Energy published an advisory describing seven vulnerabilities (two with published exploits) in their RelCare product.

Johnsons Controls Advisory - Johnson Controls published an advisory discussing a deserialization of untrusted data vulnerability in their DSC PowerManage product.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3 - subscription required.

Review - Public ICS Disclosures – Week of 2-5-22 – Part 1

 With this being the Saturday after Patch Tuesday, we have a lot to cover. In Part 1, we have 15 vendor disclosures from Carestream, Dell, Draeger (2), Eaton, GE Healthcare, HPE (4), Moxa (2), Palo Alto Networks, and QNAP (2).

Carestream Advisory - Carestream published an advisory discusses two vulnerabilities in their Image Suite systems.

Dell Advisory - Dell published an advisory discussing two vulnerabilities in their Dell Wyse Windows Embedded System.

Draeger Advisory #1 - Draeger published an advisory describing a use of an outdated operating system vulnerability in their Infinity Acute Care System workstations.

Draeger Advisory #2 - Draeger published an advisory describing an unsupported third-party (TLS 1.0) application vulnerability in their Gateway VF7.2 and VF9.0 products.

Eaton Advisory - Eaton published an advisory discussing the INFRA:HALT vulnerabilities in their easyControl EC4P PLCs.

GE Advisory - GE Healthcare published an advisory discussing the PwnKit vulnerabilities in their product line.

HPE Advisory #1 - HPE published an advisory discussing an insufficient control flow management vulnerability in their HPE ProLiant, Apollo, and Synergy Servers.

HPE Advisory #2 - HPE published an advisory describing 16 vulnerabilities in their HPE ProLiant, Apollo, Edgeline, and Synergy Servers.

HPE Advisory #3 - HPE published an advisory discussing three vulnerabilities in their HPE ProLiant, Apollo, and Synergy Servers.

HPE Advisory #4 - HPE published an advisory discussing five vulnerabilities in their Samba on NonStop products.

Moxa Advisory #1 - Moxa published an advisory describing two vulnerabilities in their MXview Series Network Management Software.

Moxa Advisory #2 - Moxa published an advisory describing a hard-coded credentials vulnerability in their  EDR-G903 Series, EDR-G902 Series, and EDR-G810 Series Secure Routers.

Palo Alto Advisory - Palo Alto Networks published an advisory describing a URL filtering vulnerability in their PAN-OS software.

QNAP Advisory #1 - QNAP published an advisory discussing three vulnerabilities in Samba.

QNAP Advisory #2 - QNAP published an advisory describing an improper authentication vulnerability in their Kazoo Server.

 

For more information on these advisories, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2 - subscription required.

Review - Public ICS Disclosures – Week of 7-31-21

This week we have three INFRA:HALT advisories from: Phoenix Contact, Schneider Electric, Siemens. We have 17 other advisories for products from Aruba, Bosch, Carestream, Genetec, Hitachi ABB Power Grids (3), Johnson Controls, Mitsubishi Electric (4), Phoenix Contact (3), PulseSecure, VMware. Finally, there are two updates from CODESYS and PcVue.

INFRA:HALT Advisories

Phoenix Contact published an advisory discussing the INFRA:HALT vulnerabilities.

Schneider published an advisory discussing the INFRA:HALT vulnerabilities.

Siemens published an advisory discussing the INFRA:HALT vulnerabilities.

Other Advisories

Aruba published an advisory describing a privilege escalation vulnerability in their Analytics and Location Engine (ALE).

Bosch published an advisory describing a cross-site request forgery vulnerability in their IP Cameras.

Carestream published an advisory discussing the PrintNightmare vulnerabilities.

Genetec published an advisory describing four vulnerabilities in their Streamvault products.

Hitachi ABB published an advisory discussing the FragAttacks WiFi vulnerabilities in their TropOS Product.

Hitachi ABB published an advisory describing a password in memory vulnerability in their Counterparty Settlement Billing (CSB) Product.

Hitachi ABB published an advisory describing a password in memory vulnerability in their Retail Operations Product.

Johnson Controls published an advisory describing an auto-update vulnerability in their Software House C•CURE 9000 product

Mitsubishi published an advisory describing an information disclosure vulnerability in their MELSEC iQ-R Series CPU module.

Mitsubishi published an advisory describing an unauthorized log-in vulnerability in their MELSEC iQ-R series CPU modules.

Mitsubishi published an advisory describing a denial-of-service vulnerability in their MELSEC iQ-R Series CPU module.

Mitsubishi published an advisory describing an authentication bypass vulnerability in their MELSEC iQ-R Series CPU Module.

Phoenix Controls published an advisory discussing the WIBU CodeMeter vulnerabilities reported by NCCIC-ICS.

Phoenix Controls published an advisory describing a denial of service vulnerability in their PLCnext Control devices.

Phoenix Controls published an advisory describing an improper privilege management vulnerability in their  FL MGUARD DM product.

PulseSecure published an advisory describing six vulnerabilities in their Pulse Connect Secure.

VMware published an advisory describing two vulnerabilities in their VMware Workspace ONE Access product.

Updates

CODESYS published an update for their CODESYS Development System V3 advisory that was originally published on July 15^th, 2021.

PcVue published an update for their advisory that was originally published in November 2020.

For more details on these advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-e33 - subscription required.

Review - Public ICS Disclosures – Week of 7-24-21

This week we have five PrintNightmare disclosures from Boston Scientific, Carestream, PEPPERL+FUCHS, Draeger, and Spacelabs Healthcare. There were four other vendor disclosures from CODESYS. We also have two updates from CODESYS.

PrintNightmare Advisories

Boston Scientific published an advisory discussing the PrintNightmare vulnerabilities.

Carestream published an advisory discussing the PrintNightmare vulnerabilities.

CERT-VDE published an advisory discussing the PrintNightmare vulnerabilities in products from PEPPERL+FUCHS.

Draeger published an advisory discussing the PrintNightmare vulnerabilities.

Spacelabs published an advisory discussing the PrintNightmare vulnerabilities.

Other Disclosures

CODESYS published an advisory describing a files or directories accessible to external parties vulnerability in their CODESYS V3 web server.

CODESYS published an advisory describing a null pointer dereference vulnerability in their CODESYS Gateway V3.

CODESYS published an advisory describing seven vulnerabilities in their CODESYS Development System V3.

CODESYS published an advisory describing a null pointer dereference vulnerability in their CODESYS EtherNetIP.

CODESYS published an update for their CODESYS V3 web server advisory that originally published on May 19^th, 2021.

CODESYS published an update for their CODESYS V3 Runtime Toolkit for VxWorks advisory that was originally published on May 19^th, 2021.

For more details on these advisories and updates, including links to proof-of-concept code, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-28e - subscription required.

Review - Public ICS Disclosures – Week of 7-10-21

This week we have eleven vendor disclosures from Aruba Networks, Carestream, CODESYS, Hitachi-ABB Power Grids, Philips, PulseSecure (2), SonicWall (2), and VMware (2). We have an updated disclosure from HMS. There are ten researcher reports for products from Advantech (4), Rockwell (5), and Schneider. Finally, we have three exploits for products from VMware, and Aruba (2).

Aruba Advisory - Aruba published an advisory describing four vulnerabilities in their AOS-CX Devices.

Carestream Advisory - Carestream published an advisory discussing the PrintNightmare vulnerabilities.

CODESYS Advisory - CODESYS published an advisory describing six vulnerabilities in their V2 web servers.

Hitachi-ABB Advisory - Hitachi-ABB published an advisory describing a password autocomplete vulnerability in their eSOMS web application.

Philips Advisory - Philips published an advisory discussing the latest SolarWinds vulnerability.

PulseSecure #1 - PulseSecure published an advisory discussing three OpenSSL vulnerabilities.

PulseSecure #2 - PulseSecure published an advisory discussing two OpenSSL vulnerabilities.

SonicWall #1 - SonicWall published an advisory discussing two OpenSSL vulnerabilities.

SonicWall #2 - SonicWall published an advisory describing an SQL injection vulnerability in their end-of-life Secure Remote Access (SRA) products.

Advantech Reports - Talos published four vulnerability reports for six vulnerabilities in the Advantech R-SeeNet product.

Rockwell Reports - Kaspersky published five reports on vulnerabilities in the Rockwell Automation ISaGRAF Runtime product.

Schneider Report - Tenable published a report describing an authentication bypass vulnerability in the Schneider Modicon M340/M580 PLC.

VMware Exploit - Wvu published a Metasploit module for an input validation vulnerability in the VMware vCenter Server.

Aruba Exploit #1 - Aleph Security published an exploit for eight vulnerabilities in the Aruba Instant (IAP) product.

Aruba Exploit #2 - GR33NH4T published an exploit for an arbitrary file write vulnerability in the Aruba Instant (IAP) product.

For more details about the advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-ab4 - subscription required.

Review Public ICS Disclosures – Week of 6-26-21

This week we have twelve vendor disclosures from Aruba, Carestream, Hitachi, WAGO, HMS, Philips, QNAP (5), and Tanzu. We have vendor updates from CODESYS and GE Healthcare. We have five researcher reports for products from Bosch. Finally, I would like to report that the bad links to Johnson Controls advisories that I noted (here and here) have been corrected.

Aruba Advisory - Aruba published an advisory describing thirteen vulnerabilities in their ClearPass Policy Manager.

Carestream Advisory - Carestream published an advisory [.PDF download link] discussing a third-party (Microsoft) HTTP Protocol Stack Remote Code Execution Vulnerability.

Hitachi Advisory - Hitachi published an advisory describing an OS command injection vulnerability in their Virtual File Platform.

WAGO Advisory - CERT-VDE published an advisory describing four vulnerabilities in the WAGO I/O-Check Service.

HMS Advisory - HMS published an advisory discussing the FragAttacks WiFi vulnerabilities.

Philips Advisory - Philips published an advisory discussing the PrintNightmare vulnerabilities.

QNAP Advisory #1 - QNAP published an advisory discussing the DNSpooq vulnerabilities.

QNAP Advisory #2 - QNAP published an advisory describing an XSS vulnerability in QTS and QuTS hero products.

QNAP Advisory #3 - QNAP published an advisory describing a Stored XSS vulnerability in Q'center product.

QNAP Advisory #4 - QNAP published an advisory describing a Stored XSS vulnerability in QuLog Center product.

QNAP Advisory #5 - QNAP published an advisory describing two command injection vulnerabilities in their QTS and QuTS hero products.

CODESYS Update - CODESYS published an update [.PDF download link] for their V2 web server advisory that was originally published on May 11^th, 2021.

GE Healthcare Update - GE Healthcare published an update for the PACS vulnerability advisory that was originally published on December 18^th, 2020.

Bosch Reports - Kaspersky published five reports for vulnerabilities in the Bosch CPP HD/MP cameras.

For more detailed information, see my article on CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-a1b  - subscription required.

Public ICS Disclosures – Week of 4-17-21

This week we have two vendor NAME:WRECK disclosures from Carestream and Draeger. We also have nine other vendor disclosures from Aruba Networks (2), Bosch, Advantech, Meinberg, QNAP, VMWare, and Yokogawa (2).

NAME:WRECK Advisories

Carestream published an advisory discussing the NAME:WRECK vulnerabilities. It also addresses the Urgent/11, Ripple20, Amnesia:33, Number:Jack vulnerabilities. Carestream provides generic mitigation measures.

Draeger published and advisory discussing the NAME:WRECK vulnerabilities. Draeger reports that none of its medical devices use the affected stacks.

Aruba Advisories

Aruba published an advisory describing eleven vulnerabilities in their AirWave Management Platform. The vulnerabilities was reported by rceman and harishkumar0394 via BugCrowd, Daniel Jensen, Erik de Jong, and Vidya Bhaskar Tripathi. Aruba has a new version that mitigates the vulnerabilities. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Authentication bypass - CVE-2021-25147,

• Deserialization (2) - CVE-2021-25151 and CVE-2021-25152,

• SQL injection - CVE-2021-25153,

• Privilege escalation - CVE-2021-25154,

• Authenticated XML external entity (3) - CVE-2021-25163, CVE-2021-25164, and CVE-2021-25165,

• Authenticated remote command injection (2) - CVE-2021-25166 and CVE-2021-25167, and

• Authenticated open redirect - CVE-2021-29137

Aruba published an advisory describing ten vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Luke Young, hateshape and S4thi5h via BugCrowd, Daniel Jensen, and Xavier Danest. Aruba has patches that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Unauthenticated server-side request forgery - CVE-2021-29145,

• Authenticated stored cross-site scripting (3) - CVE-2021-29139, CVE-2021-29142, and CVE-2021-29146,

• Unauthenticated XML external entities - CVE-2021-29140,

• Privilege escalation - CVE-2020-7123,

• Authenticated information disclosure - CVE-2021-29138,

• Authenticated command injection - CVE-2021-29147, and

• Authenticated retrieval of sensitive information (2) - CVE-2021-29141 and CVE-2021-29144,

Bosch Advisory

Bosch published an advisory describing 14 vulnerabilities in their Rexroth IoT Gateway and ctrlX CORE products. These are third-party (operating system libraries and the Linux kernel) vulnerabilities. Bosch has updates for one of the affected products, others are pending.

The 14 reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-27815,

• Null pointer dereference - CVE-2020-27830,

• Path traversal - CVE-2020-28374,

• Release of invalid pointer or reference - CVE-2020-28941,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-29568,

• Unchecked return value - CVE-2020-29569,

• Use after free (3) - CVE-2020-29660, CVE-2020-29661, and CVE-2021-20232,

• Incorrect default permissions (2) - CVE-2021-24031 and CVE-2021-24032,

• Incorrect conversion between numeric types (2) - CVE-2021-27218 and CVE-2021-27219 (exploit), and

• Insufficient information - CVE-2021-27803

Advantech Advisory

Incibe-CERT published an advisory describing two file parsing vulnerabilities in the Advantech WebAccess/HMI designer product. The vulnerabilities were reported (here and here) by kimiya via the Zero Day initiative. Advantech is working on mitigation measures.

NOTE: This is likely to be reported by NCCIC-ICS this coming week.

Meinberg Advisory

Meinberg published an advisory describing seven vulnerabilities in their LANTIME products. Meinberg has updated firmware versions to mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• CA certificate check bypass - CVE-2021-3450 (OpenSSL),

• Null pointer dereference - CVE-2021-23840, CVE-2021-23841 (both OpenSSL),

• API overflow of output length - CVE-2021-23840 (OpenSSL),

• Heap-based buffer overflow - CVE-2021-3156 (exploits) (SUDO),

• Cross-site scripting – no CVE, and

• Command line injection – no CVE

QNAP Advisory

QNAP published an advisory describing an improper authorization vulnerability in their NAS running HBS 3 Hybrid Backup Sync. The vulnerability was reported by ZUSO ART. QNAP has a new version that mitigates the vulnerability.

VMWare Advisory

VMWare published an advisory describing a privilege escalation vulnerability in their NSX-T products. The vulnerability is self-reported. VMWare has patches available to mitigate the vulnerability.

Yokogawa Advisories

Yokogawa published an advisory discussing the Meltdown/SPECTRE vulnerabilities in their CENTUM VP Controller FCS products. Yokogawa has new versions that mitigate the vulnerabilities in some of their affected products.

Yokogawa published an advisory discussing the Microsoft® VB6 runtime vulnerabilities. Yokogawa has new versions that mitigate the vulnerabilities.

ICS Public Disclosures – Week of 2-27-21

This week we have eight public disclosures from Bosch, Carestream, ENDRESS+HAUSER, Dell, Draeger, GE Healthcare, Pulse Secure, and VMWare. An update is available for products from Rockwell. There is an end-of-life notice from Honeywell. Finally, there is an exploit for products from VMware.

Bosch Advisory

Bosch published an advisory describing a side-channel key extraction vulnerability in the Bosch cameras and encoders built on platforms CPP-ENC, CPP3, CPP4, CPP5, CPP6, CPP7 and CPP7.3.  This is a third-party vulnerability (NXP). Since this is a chip-based vulnerability, Bosch is only able to provide generic workarounds. The original NinjaLab report on the NXP vulnerability contains proof-of-concept code.

NOTE: This third-party vulnerability was reported earlier in products from Rockwell, other vendors will probably also be affected.

Carestream Advisory

Carestream published an advisory discussing the Google heap-based buffer overflow vulnerability. Carestream provides a list of affected and unaffected products. Carestream will update Chrome in the next product release for the affected products.

ENDRESS+HAUSER Advisory

CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in a number of their products. ENDRESS+HAUSER provides generic workarounds pending development of appropriate mitigation measures in future versions of the product.

Dell Advisory

Dell published an advisory describing two vulnerabilities in their EMC OpenManage Server Administrator. The vulnerabilities were reported by David Yesland from Rhino Security Labs and Tenable. Dell has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass - CVE-2021-21513, and

• Path traversal - CVE-2021-21514

NOTE: The Tenable report contains proof-of-concept code for the

Draeger Advisory

Draeger published an advisory describing an out-of-bounds write vulnerability in their CC-Vision Basic and CC-Vision E-Cal Software. The vulnerability was reported by Mario Ceballos. Draeger had new versions that mitigate the vulnerability. There is no indication that Ceballos has been provided an opportunity to verify the efficacy of the fix.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing the Microsoft Windows TCP/IP vulnerabilities. GE Healthcare reports that they are actively assessing products to see if they are affected.

Pulse Secure Advisory

Pulse Secure has published an advisory discussing the Trickboot vulnerability in their PSA-Series Hardware. Pulse Secure has a BIOS patch available that mitigates the vulnerability.

VMWare Advisory

VMWare published an advisory describing a remote code execution vulnerability in their View Planner product. The vulnerability was reported by Mikhail Klyuchnikov of Positive Technologies. VMware has a security patch that mitigates the vulnerability. There is no indication that Klyuchnikov has been provided an opportunity to verify the efficacy of the fix.

Rockwell Update

Rockwell published an update for their Logix Controllers advisory that was originally published on February 25^th, 2021. The advisory was re-written for clarity.

NOTE: I suspect the NCCIC-ICS will update their advisory on this vulnerability this coming week.

Honeywell EOL Notice

Honeywell published an end-of-life notice for their Pro-Watch 4.3 and Pro-Watch 4.35 products. The products will no longer be supported after September 30th, 2021.

VMWare Exploit

Photubias published an exploit for an unauthenticated file upload vulnerability in the VMware vCenter Server 7.0. The vulnerability was previously reported by VMWare.

Public ICS Disclosures – Week of 2-20-21

This week we have six vendor disclosures from Advantech, Aruba Networks (2), Bosch, Carestream, and VMware. We have researcher a report for products from Secomea (and B&R automation). Finally, there are two remote access exploits for products from ASUS and

Advantech Advisory

Advantech published an advisory discussing the DNSpooq vulnerabilities in their industrial cellular routers. Advantech notes that their routers are only vulnerable to the three ‘cache poisoning’ vulnerabilities. Advantech has new firmware that mitigates the vulnerabilities.

Aruba Advisories

Aruba published an advisory discussing the DNSpooq vulnerabilities in their products. Aruba reports that their products are only vulnerable to the three ‘cache poisoning’ vulnerabilities. Aruba will update the dnsmasq in “future routine maintenance patches”.

 

Aruba published an advisory describing twelve vulnerabilities in their AirWave Management Platform. The vulnerabilities were reported by multiple researchers via the BugCrowd platform. Aruba has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Cross-site request forgery (2) - CVE-2021-29960 and CVE-2021-29961,

• Command injection (2) - CVE-2021-29962 and CVE-2021-29963,

• Improper access control - CVE-2021-29964,

• SQL injection (2) - CVE-2021-29965 and CVE-2021-29966,

• Reflected cross-site scripting - CVE-2021-29967,

• Authenticated stored cross-site scripting - CVE-2021-29968,

• Authenticated XML external entity - CVE-2021-29969, and

• Authenticated remote command injection (2) - (CVE-2021-29970 and CVE-2021-29971

Bosch Advisory

Bosch published an advisory describing three vulnerabilities in their ctrlX CORE and the IoT Gateway. These are third-party (Linux kernel and sudo) vulnerabilities. Bosch reports that the next updates for the affected products would include updates for both the kernel and sudo.

The three reported vulnerabilities are:

• Improper locking and use after free - CVE-2020-29661,

• Out-of-bounds write - CVE-2021-3156 (multiple exploits publicly available), and

• Use after free - CVE-2021-3347 (exploit publicly available)

Carestream Advisory

Carestream published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in a number of their products. This is a third-party (Chrome) vulnerability. Carestream reports that Chrome will be updated with the next software release for most of the affected products. This vulnerability has been exploited in the wild, but not yet in Carestream products.

VMware Advisory

VMware published an advisory describing three vulnerabilities in their VMware ESXi and vCenter Server. The vulnerabilities were reported by Mikhail Klyuchnikov of Positive Technologies, and Lucas Leong via the Zero Day Initiative. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Remote code execution - CVE-2021-21972,

• Heap-based buffer overflow - CVE-2021-21974,

• Server-side request forgery - CVE-2021-21973

Tenable has published a report on the vulnerabilities noting that these vulnerabilities have been exploited in the wild. NebulabdSec has published proof-of-concept code for the RCE vulnerability.

Secomea Report

Tenable published a report (including proof-of-concept code) describing three vulnerabilities in the Secomea GateManager (also applies to B&R GateManager). The report was coordinated with both Secomea and B&R; Secomea has a new version that mitigates the vulnerability. B&R’s response is pending.

The three reported vulnerabilities include:

• Reflected cross-site scripting - CVE-2020-29028,

• Authentication token exposed in URL path - CVE-2020-29030, and

• Authenticated malicious firmware upload - CVE-2020-29029

NOTE: This is likely to be a third-party vulnerability in products from vendors other than B&R.

Remote Access Exploits

H4rk3nz0 published an exploit for a remote code execution vulnerability in the ASUS Remote Link. There is no CVE# listed and no indication that ASUS had been contacted. This may be a 0-day exploit.

MATTHEW DUNN published a Metasploit module for an authentication timing vulnerability for Remote Desktop Web Access. The is no CVE# and no indication that Microsoft has been contacted. This may be a 0-day exploit.

Public ICS Disclosure – Week of 1-9-21 – Part 1

This week we have six vendor disclosures from Advantech, PEPPERL+FUCHS, WAGO, Philips, RUCKUS, and Rockwell (2). We have five vendor updates from Carestream, Mitsubishi, Rockwell, Siemens, and Software Toolbox.

Advantech Advisory

Advantech published an advisory describing six vulnerabilities in their Spectre RT ERT351 and

B+B SmartWorx ERT351 products. The vulnerabilities were reported by Vlad Komarov of ScadaX, and Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Advantech has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Improper neutralization of input during web page generation - CVE-2019-18233,

• Cleartext transmission of sensitive information - CVE-2019-18231,

• Improper restriction of excessive authentication attempts - CVE-2019-18235 (Linux vuln),

• Insufficiently protected credentials (no CVE number),

• Usage of broken or risky cryptographic algorithm - CVE-2019-18237,

• Use of vulnerable third-party software - CVE-2019-18239 (OpenSSH and OpenSSL)

PEPPERL+FUCHS Advisory

CERT VDE published an advisory describing a deserialization of untrusted data vulnerability in the PEPPERL+FUCHS PACTware product. This is a third-party (fdtCONTAINER component by M&M Software GmbH) vulnerability. The vulnerability was reported by M&M Software. The vulnerability will be corrected in a version to be released in the second quarter.

WAGO Advisory

CERT VDE published an advisory describing a deserialization of untrusted data vulnerability in unnamed WAGO workstations. This is the same third-party (M&M Software) vulnerability described above.

Philips Advisory

Philips published an advisory describing an undescribed vulnerability on products running on their older Haswell workstations. Philips has a patch that mitigates the vulnerability.

RUCKUS Advisory

RUCKUS published an advisory describing two vulnerabilities in the LLDP module of Ruckus Network’s AP products. These are third-party library vulnerabilities originally reported by Florian Weimer (see links below for original reporting). RUCKUS has patches that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Classic buffer overflow - CVE-2015-8011, and

• Reachable assertion - CVE-2015-8012

Rockwell Advisories

Rockwell published an advisory describing a side-channel leakage vulnerability in the NXP 7x Secure Authentication Microcontrollers. This is a third-party (Google Titan Security Key) vulnerability reported by NinjaLab. Rockwell provides generic mitigation measures.

NOTE: This is going to be an interesting one for a variety of vendors.

 

Rockwell published an advisory describing the third-party (M&M Software) fdtCONTAINER vulnerability described above in their FactoryTalk AssetCentre products. Rockwell has a software update that mitigates the vulnerability.

NOTE: Third-party vulnerabilities strike far and wide (SIGH).

Carestream Update

Carestream published an update [.PDF download link] for their Bad Neighbor advisory that was originally published on October 15^th, 2020. The new information includes:

• A list of unaffected products, and

• A list of two affected products (Image Suite and Omni) with mitigation measures.

Mitsubishi Update

Mitsubishi published an update for their MC Works 64 advisory that was originally published on June 18^th, 2020 and most recently updated on December 8^th, 2020. The new information includes adding mitigation measures for MC Works64 Version 2.00A - 2.02C.

NOTE: NCCIC-ICS published an advisory for these vulnerabilities back in June but has not yet updated it for any of the updates that Mitsubishi has published. This is probably due to a failure by Mitsubishi to inform NCCIC-ICS of the updates.

Rockwell Update

Rockwell published an update for their FactoryTalk Linx advisory that was originally published on December 27^th, 2020. The new information includes links to mitigation measures for three of the vulnerabilities.

Siemens Update

Siemens published an out-of-zone update for their SolidEdge advisory that was originally published on January 12^th, 2021. The new information includes additional mitigation information for SolidEdge SE2020.

Software Toolbox Update

Software Toolbox published an update for their TopServer advisory that was originally published on December 9^th, 2020. The new information includes adding the CVE numbers for the included vulnerabilities.

NOTE: This advisory was included in  ICSA-20-352-02. This update will probably not be mentioned by NCCIC-ICS since the link provided in their advisory takes one to this update.

Public ICS Disclosures – Week of 11-07-20

This week we have eight vendor disclosures for products from Schneider (7) and Thales Group. We also have nine updates for advisories for products from Schneider (5), Siemens (2), Carestream and Rockwell.

Schneider Advisories

Schneider published an advisory describing three vulnerabilities in the web servers of their Modicon M340, Modicon Quantum and Modicon Premium Legacy products. The vulnerabilities were reported (here and here) by Kai Wang of Fortinet's FortiGuard Labs. Schneider is working on mitigation measures for those affected products that are not end-of-life.

The three reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-7562,

• Out-of-bounds write - CVE-2020-7563, and

• Classic buffer overflow - CVE-2020-7564

 

Schneider published an advisory describing an improper privilege management vulnerability in their EcoStruxure™ Operator Terminal Expert runtime (Vijeo XD). The vulnerability was reported by Lasse Trolle Borup of Danish Cyber Defence. Schneider has a service pack that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing nine vulnerabilities in their Interactive Graphical SCADA System (IGSS) product. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer (4) – CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, and CVE-2020-7554,

• Out-of-bounds write (4) - CVE-2020-7553, CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and

• Out-of-bounds read - CVE-2020-7557

 

Schneider published an advisory describing seven vulnerabilities in their EcoStruxure Building Operation (EBO) product offerings. The vulnerabilities were reported by Luis Vázquez, Francisco Palma, and Diego León of Zerolynx, and Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli of TIM Security Red Team Research. Schneider has a version that mitigates the vulenrabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-7569,

• Cross-site scripting stored - CVE-2020-7570,

• Cross-site scripting reflected - CVE-2020-7571,

• Improper restriction of XML external entity reference - CVE-2020-7572,

• Improper access control - CVE-2020-7573,

• Windows unquoted search path - CVE-2020-28209, and

• Cross-site scripting - CVE-2020-28210

 

Schneider published an advisory describing four vulnerabilities in their Modicon M221 product. The vulnerabilities were reported by Yehuda Anikster and Rei Henigman of Claroty, and Seok Min Lim and Bryon Kaan of Trustwave (here). Schneider provides generic work arounds to mitigate the vulnerabilities.

The four reported vulnerabilities are:

• Inadequate encryption strength - CVE-2020-7565,

• Small space of random values - CVE-2020-7566,

• Missing encryption of sensitive data - CVE-2020-7567, and

• Exposure of sensitive data to an unauthorized actor - CVE-2020-7568

NOTE: The Trustwave report contains proof-of-concept code.

 

Schneider published an advisory describing an improper access control vulnerability in their Easergy T300 remote terminal unit. The vulnerability was reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory discussing the Drovorub malware and its impact on their Q Data Radio and J Data Radio devices. Schneider is providing generic workarounds pending further work on mitigating the vulnerabilities.

Thales Advisory

Thales Group published an advisory for their Sentinel RMS License Manager. The advisory is only available to registered customers. We should expect to see various vendors incorporating the fix for this in their affected products.

Schneider Updates

Schneider published an update for their Ripple20 advisory. The new information includes adding mitigation measures for:

• eIFE Ethernet Interface for MasterPact MTZ drawout circuit breakers,

• IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers, and

• IFE Gateway

 

Schneider published an update for their EcoStruxure advisory that was originally published on May 12^th, 2020 and most recently updated on June 9^th, 2020. The new information includes adding mitigation measures for CVE-2020-7495 & CVE-2020-7497.

 

Schneider published an update for their Modicon M218/M241/M251/M258 Logic Controllers advisory that was originally published on April 14^th, 2020. The new information includes adding mitigation measures for M258.

 

Schneider published an update for their Modicon Controllers advisory that was originally published on March 20^th, 2020. The new information includes adding mitigation information for CVE-2020-7475.

 

Schneider published an update for their Modicon M580 controller advisory that was originally published on October 8^th, 2019. The new information includes adding mitigation information for CVE-2019-6848 and CVE-2019-6849.

Siemens Updates

Siemens published an update for their CodeMeter advisory. The new information includes adding SICAM 230 to the list of affected versions including mitigation measures.

Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on October 13^th, 2020. The new information includes adding:

• CVE-2020-10769,

• CVE-2020-14314,

• CVE-2020-25211, and

• CVE-2020-25641

Carestream Update

Carestream published an update [.PDF download link] for their Bad Neighbor advisory. The new information includes lists of affected and unaffected products.

Rockwell Update

Rockwell published an update for their Urgent/11 advisory. The new information includes mitigation measures for ControlLogix 5580 and CompactLogix products.

Public ICS Disclosures – Week of 10-10-20 – Part 1

This week we have seven vendor disclosures from Eaton, HMS, Bender, Sprecher, Bosch, Rockwell, and Carestream. There are also three vendor updates from ABB and Eaton (2). We also have an exploit that was published for products from BACnet Interoperability Test Services, Inc.

Eaton Advisory

Eaton published an advisory for the CodeMeter vulnerabilities in their Xsoft-CODESYS programming software.

NOTE: This is the first CodeMeter advisory that is specifically tied to the 4th party CODESYS implmenetation of the Wibu-Systems code that I have seen.

HMS Advisory

HMS published an advisory for the Ripple20 [corrected link, 10-18-20 0846 EDT] vulnerabilities, reporting that none of their products are affected.

NOTE: The advisory indicates that HMS employed a third-party research firm to help them assess the potential exposure to these vulnerabilities.

Bender Advisory

Bender published an advisory describing an improper authentication vulnerability in their COMTRAXX products. The vulnerability was reported by Maxim Rupp. Bender has a new software version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

Sprecher Advisory

Sprecher published an advisory describing an input validation vulnerability in their SPRECON-E engineering tools. The vulnerability was reported by Gregor Bonney of CyberRange-e at Innogy. Sprecher has a firmware update that mitigates the vulnerability. There is no indication that Bonney has been provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing the Microsoft® remote desktop services vulnerability in their Rexroth industrial PCs.

Rockwell Advisory

Rockwell published an advisory describing five buffer overflow vulnerabilities in their 1794-AENT Flex I/O products. The vulnerabilities were reported (here, here and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds to mitigate these vulnerabilities.

NOTE: The Cisco Talos reports provide proof-of-concept code for the vulnerabilities.

Carestream Advisory

Carestream published an advisory [.PDF download link] describing the Microsoft Bad Neighbor vulnerability. Carestream is looking into the potential effects of this vulnerability on their products.

ABB Update

ABB published an update of their CodeMeter advisory for their Automation Builder products that was originally published on September 17^th, 2020. ABB reports that CVE-2020-14517 has not been closed in the latest version of the Wibu-Systems CodeMeter (v.7.10a). That version has been integrated into the latest version of Automation Builder.

Eaton Updates

Eaton published an update for their Ripple20 [Corrected link, 10-18-20, 0851 EDT] advisory that was originally published on June 23^rd, 2020 and most recently updated on July 24^th, 2020. The new information includes updated mitigation information for Form 4D.

Eaton published an update for their Triangle MicroWorks DNP3 Outstation Libraries vulnerability advisory that was originally published on April 22^nd, 2020 and most recently updated on August 6^th, 2020. Eaton has updated their affected product list and mitigation measures.

NOTE: The NCCIC-ICS advisory was never updated to provide links to vendors reporting these library vulnerabilities in their products.

BACnet Exploit

Zero Science Lab published an exploit for a remote denial of service vulnerability in the BACnet Test Server from BACnet Interoperability Test Services, Inc. There is no report of a coordinated disclosure or CVE # for this vulnerability so it looks like it may be a 0-day exploit.

More to Come

Part II of this post will include Schneider and Siemens advisories and updates.

Public ICS Disclosures – Week of 8-29-20

This week we have a Ripple20 vendor update from Carestream.

Carestream Update

Carestream published an update of their Ripple20 advisory that was originally published on June 16^th, 2020 and most recently updated on July 16^th, 2020. The updated information includes the note that, after careful review, no Carestream products are affected.

Public ICS Disclosures – Week of 7-11-20

This week we have four Ripple20 vendor disclosures from Siemens, ABB, Rockwell, Carestream and Schneider Electric; two SigRed vendor disclosures from Philips and GE Healthcare; and three other vendor disclosures from HMS and Schneider (2). Four vendor updates from Schneider (2) and Siemens (2) and  two researcher disclosures for products from Siemens and Advantech round out the weeks’ offerings.

Ripple20 Disclosures and Updates

Siemens published a Ripple20 advisory for their SPPA-T3000 Solutions distributed control system. Siemens provides generic mitigation measures for these vulnerabilities.

NOTE: Siemens published a note at the top of their Security Publications page noting that:

“No Siemens product is known to use Treck Inc.'s TCP/IP stack, or otherwise be affected by the reported vulnerabilities.

“Note that Siemens products and systems might interact with products from other manufacturers which are affected by the reported vulnerabilities. In such cases Siemens recommends that owners of operational infrastructures verify if these products are affected and evaluate the potential impact of the Ripple20 vulnerabilities.”

Since the SPPA-T3000 advisory also contains two Intel Server Platform Services vulnerabilities, I suspect that the Ripple20 vulnerabilities come with the Intel server upon which the T-3000 is built.

ABB published a Ripple20 advisory. The advisory contains a list of affected products and generic mitigation measures pending further work to address the vulnerabilities.

Rockwell updated their Ripple20 advisory. The new information includes an updated table of affected products.

Carestream updated their Ripple20 advisory (.PDF download link). The new information includes adding 20 products that were on the ‘still evaluating list’ to the not affected list. The list of affected products has not changed.

Schneider updated their Ripple20 advisory. The new information includes removing the “Smartlink ELEC” from the list of affected products.

SigRed Disclosures

SigRed is the ‘cute’ name given to the Microsoft ‘wormable’ remote code execution DNS vulnerability (CVE-2020-1350).

Phillips published a SigRed advisory noting that: “Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options.”

GE Healthcare published a SigRed advisory noting that: “GE Healthcare is actively assessing products that utilize impacted Microsoft Operating Systems.”

Neither of these advisories provide much in the way of information beyond noting that a vague ‘some’ of their products may be affected.

Vendor Disclosures

HMS published an advisory describing a remote code execution vulnerability in their eCatcher product. The vulnerability was reported by Claroty. HMS has an update that mitigates the vulnerability. There is no indication that Claroty was provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an open redirect vulnerability in their Schneider Electric Software Update (SESU). The vulnerability was reported by Amir Preminger of Claroty. Schneider has a new version that mitigates the vulnerability. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two denial of service vulnerabilities in their Floating License

Manager. These are third-party vulnerabilities in the Flexera FlexNet Publisher (reported here and here). Schneider has a new version that mitigates these vulnerabilities.

NOTE: Flexera is also reporting three other vulnerabilities (CVE-2019-8963, CVE-2020-12080, and CVE-2020-12081) that could potentially affect the Schneider Floating License Manager and a variety of other vendor ‘license manager’ products based upon the Flexera product.

Vendor Updates

Schneider updated their ZombieLoad advisory. The new information includes updated mitigation measures for the HMI products.

Schneider updated their BlueKeep advisory. The new information includes updated mitigation measures for the HMI products.

Siemens updated their Vulnerabilities in Intel CPUs advisory. The new information includes:

• Updated mitigation and affected version information for SIMATIC ITP1000, and

• Removed SIMATIC IPC827E from list of affected devices

Siemens updated heir GNU/Linux advisory. The new information includes adding:

CVE-2020-12114,

• CVE-2020-12659,

• CVE-2020-13630,

• CVE-2020-13631, and

• CVE-2020-13632

Researcher Disclosures

Talos published a report on the Siemens LOGO web server vulnerability that was reported earlier this week. The Talos report includes proof-of-concept code for the vulnerability.

The Zero Day Initiative published 43 reports, all based upon research by rgod, about the Advantech iView vulnerabilities that were reported earlier this week. Most of the reports provided more details on the three CVE’s listed in the NCCIC-ICS advisory. One of the reports, however, described an input validation vulnerability that was not reported by NCCIC-ICS.

ICS Advisory and 2 Medical Device Advisories

Yesterday the DHS NCCIC-ICS published a controls system security advisory for products from WECON and two medical device security advisories for products from Change Healthcare and Carestream.

WECON Advisory

This advisory describes four vulnerabilities in the WECON PI Studio, a HMI project programmer. The vulnerabilities were reported by Mat Powell and Natnael Samson (Natti) via the Zero Day Initiative. WECON is working on mitigation measures.

The four reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-14818;

• Out-of-bounds write - CVE-2018-14810;

• Information exposure through XML external entity reference - CVE-2018-17889; and

• Out-of-bounds read - CVE-2018-14814

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.

Change Healthcare Advisory

This advisory describes an information exposure through error message vulnerability in the Change Healthcare PeerVue Web Server. The vulnerability was reported by Dan Regalado of Zingbox. Change Healthcare has a patch available to mitigate the vulnerability. There is no indication that Regalado has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to allow an attacker to obtain technical information about the PeerVue Web Server, allowing an attacker to target a system for attack.

Carestream Advisory

This advisory describes an information exposure through an error message vulnerability in the Carestream Vue RIS, a web-based radiology information system. The vulnerability was reported by Dan Regalado of Zingbox. Carestream has a new version that mitigates the vulnerability and has provided workarounds. There is no indication that Regalado has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with access to the network can exploit the vulnerability to passively read traffic.

NOTE: It is always interesting to see a researcher who has found an unusual vulnerability in one system to then look for the same type vulnerability in other related systems. It makes me wonder if developers reading these advisories (and of course they do, right?) ask themselves if their systems have the same vulnerability.