Public ICS Disclosures – Week of 03-21-20

This week we have five vendor disclosures for products from Phoenix Contact (2), 3S (2) and Philips along with an update of a previous vendor disclosure from Belden. There is also an exploit publication for products from GE. Finally, an interesting look at control system security and COVID-19 ‘industrial distancing’.

Phoenix Contact Advisories

Phoenix Contact published an advisory [.PDF download link] describing a privilege escalation vulnerability in their Portico Remote desktop control software. The vulnerability was reported by an unnamed researcher. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact published an advisory [.PDF download link] describing an insecure permissions vulnerability in their PC WORX SRT. The vulnerability was reported by  Sharon Brizinov of

Claroty. Phoenix Contact provides generic workarounds to mitigate the vulnerability.

3S Advisories

3S published an advisory [.PDF download link] describing an out-of-bounds memory buffer access vulnerability in their  CODESYS communication protocol. The vulnerability was reported by Carl Hurd of Cisco Talos and an OEM customer. 3S has a new version that mitigates the vulnerability. There is no indication that Hurd has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Talos report includes proof-of-concept exploit code.

3S published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in their Web Service application. The vulnerability was reported by Tenable. 3S has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Tenable report includes proof-of-concept exploit code.

Philips Advisory

Philips published an advisory describing two vulnerabilities in their AC 2719 Air Purifier when using the Air Matters Android application. Philips reports that this is a chip-level problem, but reportedly a newer version of the application mitigates the vulnerabilities (?). The vulnerabilities were reported by an unnamed researcher.

The two (3 or 4 depending on where you read in the advisory) reported vulnerabilities are:

• Cleartext transmission of information;

• Insufficient Diffie Helman strength; and

• Decompiling Android app

NOTE: Okay, I will admit that I am confused by this advisory. I cannot find a researcher report of these vulnerabilities. If someone wants to step forward and explain this to me, I would appreciate it.

GE Exploit

Ivan Marmolejo has published an exploit for a password denial of service vulnerability in the GE ProficySCADA for iOS. There is no CVE number associated with the exploit report nor any vendor contact reports and I cannot find a report of a similar vulnerability on the GE security advisory page so this looks like a 0-day exploit.

COVID-19

Otorio.com has an interesting blog post about the increase in remote access to industrial systems due to COVID-19. They introduce a fun new term ‘industrial distancing’. It is a quick read, but worth it.

Public ICS Disclosures – Week of 3-7-20

This week we have eight vendor disclosures for products from WAGO (7) and Beckhoff. We also have a researcher report of exploit code for previously disclosed vulnerabilities for products from Phoenix Contact.

WAGO Advisories

VDE CERT published an advisory describing two vulnerabilities in the WAGO e!Cockpit. The vulnerabilities were reported by Nico Jansen of FH Aachen and Carl Hurd of Cisco Talos. WAGO provides generic mitigation measures for these vulnerabilities.

The two reported vulnerabilities are:

Cleartext transmission of sensitive information - CVE-2019-5107; and

Use of broken or risky cryptographic algorithm - CVE-2019-5106

NOTE: The CVE link above are to Talos vulnerability reports that contains exploit code.

VDE CERT published an advisory describing two vulnerabilities in the WAGO Web-Based Management Authentication. The vulnerabilities were reported by Daniel Szameitat and Jan Hoff of innogy SE, and Daniel Patrick DeSantis and Lilith [-_-] of Cisco Talos. WAGO has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Regular expression without anchor - CVE-2019-5134; and

Information exposure through timing discrepancy - CVE-2019-5135

NOTE: The CVE links above are to Talos vulnerability reports that contains exploit code.

VDE CERT published an advisory describing an insufficient resource pool vulnerability in the WAGO Web-Based Management (wbm) of WAGO PLCs. The vulnerability was reported (report contains exploit code) by  Daniel Patrick DeSantis of Cisco Talos.

VDE CERT published an advisory describing four vulnerabilities in the Wago Cloud Connectivity. The vulnerabilities were reported by Kelly Leuschner of Cisco Talos. WAGO provides generic mitigation measures for these vulnerabilities.

The four reported vulnerabilities are:

Improper access control - CVE-2019-5160;

Improper neutralization of special elements used in OS command (3) - CVE-2019-5155, CVE-2019-5157 and CVE-2019-5156;

NOTE: The CVE links above are to Talos vulnerability reports that contains exploit code.

VDE CERT published an advisory describing two vulnerabilities in the WAGO eCockpit Update Package. The vulnerabilities were reported by Kelly Leuschner of Cisco Talos. WAGO provides hashes for the wup files.

The two reported vulnerabilities are:

External control of file name path - CVE-2019-5159; and

Improper input validation - CVE-2019-5158

NOTE: The CVE links above are to Talos vulnerability reports that contains exploit code.

VDE CERT published an advisory describing a reliance on file name or extension of external-supplied file vulnerability in the WAGO Cloud Connectivity service. The vulnerability was reported (report contains exploit code) by Kelly Leuschner of Cisco Talos. WAGO provides generic mitigations for this vulnerability.

VDE CERT published an advisory describing 20 vulnerabilities in the WAGO I/O-Check Service. The vulnerabilities were reported by Kelly Leuschner of Cisco Talos. WAGO provides generic mitigation measures for these vulnerabilities.

The 20 reported vulnerabilities are:

Classic buffer overflow (10) - CVE-2019-5166, CVE-2019-5176, CVE-2019-5177, CVE-2019-5178, CVE-2019-5179, CVE-2019-5180, CVE- 2019-5181, CVE-2019-5182, CVE-2019-5185, and CVE-2019-5186;

OS command injection (9) - CVE-2019-5167, CVE-2019-5168, CVE-2019-5169, CVE-2019-5170, CVE-2019-5171, CVE- 2019-5172, CVE-2019-5173, CVE-2019-5174, and CVE-2019-5175;

Double free - CVE-2019-5184

NOTE: The CVE links above are to Talos vulnerability reports that contains exploit code.

Beckhoff Advisory

VDE CERT published an advisory describing an uncontrolled resource vulnerability in the Beckhoff BK9000 couplers. The vulnerability was reported by Martin Menschner from Rhebo GmbH. According to VDE CERT, Beckhoff is not changing this behavior.

Phoenix Contact Exploit

SEC Consult published a report containing exploit code for the command injection vulnerability reported earlier this month by Phoenix Contact. This was a coordinated disclosure.

1 Alert and 4 Advisories Published – 3-3-20

Yesterday the CISA NCCIC-ICS published a control system security alert for products from SweynTooth and four security advisories for products form Moxa, Omron, Phoenix Contact, and Emerson.

SweynTooth Alert

This alert describes multiple Bluetooth Low Energy (BLE) vulnerabilities known as the SweynTooth vulnerabilities. The vulnerabilities were reported by Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang of the Singapore University of Technology and Design. NCCIC-ICS is coordinating with chip vendors on a resolution of these vulnerabilities.

Last month I briefly reported on an advisory issued by Philips for these vulnerabilities.

Moxa Advisory

This advisory describes twelve vulnerabilities in the Moxa Moxa AWK-3131A wireless networking appliance. The vulnerabilities were reported by Jared Rittle, Carl Hurd, Patrick DeSantis, and Alexander Perez Palma of Cisco Talos. Moxa has a patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker using publicly available code could remotely exploit the vulnerabilities to allow an attacker to gain control of the device and remotely execute arbitrary code.

NOTE: Last Saturday I reported briefly on these vulnerabilities and provided links to the individual Talos reports that provide the proof-of-concept exploit code for these vulnerabilities.

Omron Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Omron PLC CJ Series. The vulnerability was reported by Jipeng You (XDU). Omron provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

Phoenix Contact Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the Phoenix Contact Emalytics Controller ILC 2050 BI(L). The Phoenix Contact advisory notes that the vulnerability was reported by Anil Parmar. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that Parmar has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to change the device configuration and start or stop services.

NOTE: I briefly reported on this vulnerability last month.

Emerson Advisory

This advisory describes an improper access control vulnerability in the Emerson ValveLink. The vulnerability is self-reported. Emerson has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

Three Advisories Published – 05-02-19

Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Sierra Wireless, GE, and Orpak

Sierra Wireless Advisory

This advisory describes seven vulnerabilities in the Sierra Wireless AirLink ALEOS. The vulnerabilities were reported by Carl Hurd and Jared Rittle of Cisco Talos. Sierra Wireless reports that the latest version of ALEOS (not all yet available) mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• OS command injection - CVE-2018-4061;

• Use of hard-coded credentials - CVE-2018-4062;

• Unrestricted upload of file with dangerous type - CVE-2018-4063

• Cross-site scripting - CVE-2018-4065;

• Cross-site request forgery - CVE-2018-4066;

• Information exposure - CVE-2018-4067; and

• Missing encryption of sensitive data - CVE-2018-4069

The Talos web site lists six additional vulnerabilities (with exploits) {NOTE: the Sierra Wireless advisory (.PDF Download) explains these ‘vulnerabilities’}:

• Information exposure -  CVE-2018-4068;

• Unverified password change - CVE-2018-4064;

• Information disclosure (2) - CVE-2018-4070, CVE-2018-4071; and

• Permission assignment (2) - CVE-2018-4072, CVE-2018-4073

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to remotely execute code, discover user credentials, upload files, or discover file paths.

GE Advisory

This advisory describes five vulnerabilities in the General Electric Communicator. Reid Wightman of Dragos. GE has a new version that mitigates the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Uncontrolled search path (2) - CVE-2019-6564 and CVE-2019-6546;

• Hard-coded credentials - CVE-2019-6548; and

• Improper access controls (2) - CVE-2019-6544 and CVE-2019-6566

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges, manipulate widgets and UI elements, gain control over the database, or execute administrative commands.

Orpak Advisory

This advisory describes six vulnerabilities in the Orpak SiteOmat fuel management software. The vulnerabilities were reported by Ido Naor of Kaspersky Lab. Orpak has an update available that mitigates the vulnerability. This is no indication that Naor has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2017-14728;

• Cross-site scripting - CVE-2017-14850;

• SQL injection - CVE-2017-14851;

• Missing encryption of sensitive data - CVE-2017-14852;

• Code injection - CVE-2017-14853; and

• Stack-based buffer overflow - CVE-2017-14854

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits (NOTE: The exploits have been available for over one year) to remotely exploit these vulnerabilities to effect arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information.