Public ICS Disclosures – Week of 6-13-20

This week we have eight vendor disclosures (3 for the Ripple20 vulnerabilities) for products from Beckhoff, Moxa, Medtronic, GE Health, Draeger (2), Rockwell, and BD. There is also a researcher report of a zero-day for products from Inductive Automation.

Ripple20 Advisories

Medtronic published a Ripple20 advisory reporting no impact.

GE Healthcare published a Ripple20 advisory reporting no impact but advising that there may be possible impact to third party components used in combination with GE Healthcare products.

Draeger published a Ripple 20 advisory reporting no impact.

NOTE: “No impact” reports are valuable information. I think the GE nuanced ‘no impact’ report is important where the vendor software may be running on a machine that includes other non-vendor produced software (perhaps including OS?).

Beckhoff Advisory

CERT-VDE published an advisory describing an information leak vulnerability in the Beckhoff TwinCAT RT network driver. The vulnerability is self-reported. Beckhoff has patches that mitigate the vulnerability.

Moxa Advisory

Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDR-G902 Series and EDR-G903 Series Secure Routers. The vulnerability was reported by Tal Keren from Claroty. Moxa has new firmware to mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

Draeger Advisory

Draeger published an advisory describing an improper input validation vulnerability in their Perseus A500 product. The vulnerability is self-reported. Draeger has new software that mitigates the vulnerability.

Rockwell Vulnerability

Rockwell published an advisory describing a path traversal advisory in their FactoryTalk Linx software. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference. Rockwell has a patch that mitigates the vulnerability.

NOTE: Rockwell reports that they had previously disclosed this vulnerability in an advisory that was published on June 11^th, 2020. I suppose that the Pwn2Own announcement could have been included as an update to that advisory. This may be why NCCIC-ICS has not picked up this advisory.

BD Advisory

BD published an advisory describing a remote code execution vulnerability in a number of BD products that use the Microsoft Windows 10®. This is a third-party (MS) SMBv3 server vulnerability. BD is currently working to test and validate the Microsoft patch on the affected products.

Inductive Automation Advisory

The Zero Day Initiative published an advisory describing a deserialization of untrusted data information disclosure vulnerability in the Inductive Automation Ignition product. The vulnerability was reported by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference and reported to the vendor. The vendor has not been able to provide an estimated fix date to either ZDI or NCCIC-ICS. This is effectively a zero-day vulnerability.

2 Advisories Published – 5-21-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Schneider Electric and Johnson Controls.

Schneider Advisory

This advisory describes five vulnerabilities in the Schneider EcoStruxure Operator Terminal Expert. The vulnerabilities were reported by Sharon Brizinov and Amir Preminger of Claroty Research (via the Zero Day Initiative), Steven Seeley and Chris Anastasio of Incite Team (via ZDI), and Fredrik Østrem, Emil Sandstø, and Cim Stordal of Cognite. Schneider has an update that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• SQL Injection - CVE-2020-7493,

• Path traversal (3) - CVE-2020-7494, CVE-2020-7495 and CVE-2020-7497, and

• Argument injection - CVE-2020-7496

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could use publicly available code to exploit the vulnerabilities to allow unauthorized write access or remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

Johnson Controls Advisory

This advisory describes a cleartext storage of sensitive information vulnerability in Sensormatic Electronics (subsidiary of Johnson Controls) video management systems. The vulnerability is self-reported. Johnson Controls has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to access credentials used for access to the application.

Public ICS Disclosures – Week of 5-9-20

This week we have five vendor disclosures for products from Schneider (4) and Rockwell as well as six vendor updates from Schneider (5) and Siemens. We also have two researcher reports of vulnerabilities in products from Advantech.

Schneider Advisories

Schneider published an advisory describing a weak password requirement vulnerability in their Pro-face GP-Pro EX Programming Software product. The vulnerability was reported by Kirill Kruglov of Kaspersky Labs. Schneider has a new version that mitigates the vulnerability. There is no indication that Krublov has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing a use of hard-coded credentials vulnerability in their Vijeo Designer Basic and Vijeo Designer software products. The vulnerability was reported by Jie Chen of NSFOCUS. Schneider has a HotFix available to mitigate the vulnerability. There is no indication that Jie has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two vulnerabilities in their U.motion servers and touch panel products. The vulnerabilities were reported by Rgod and Zhu Jiaqi. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control - CVE-2020-7499, and

• SQL injection - CVE-2020-7500

Schneider published an advisory describing five vulnerabilities in their EcoStruxure™ Operator Terminal Expert product. The vulnerabilities were reported by Steven Seeley and Chris Anastasio of Incite Team, Sharon Brizinov and Amir Preminger of Claroty Research via the Zero Day Initiative (see here, here, and here), and Fredrik Østrem, Emil Sandstø, and Cim Stordal of Cognite. Schneider has a new version that mitigates four of the five vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• SQL command injection - CVE-2020-7493,

• Path traversal (3) - CVE-2020-7494, CVE-2020-7495, and CVE-2020-7497, and

• Argument injection or modification - CVE-2020-7496

Rockwell Advisory

Rockwell published an advisory describing five vulnerabilities in multiple Rockwell Automation software products. These are third-party vulnerabilities from OSIsoft components used in the Rockwell products. These vulnerabilities are self-identified. Rockwell provides workarounds to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Local privilege escalation via uncontrolled search path element - CVE-2020-10610,

• Local privilege escalation via improper verification of cryptographic key - CVE-2020-10608,

• Local privilege escalation via incorrect default permissions - CVE-2020-10606,

• Null pointer dereference - CVE-2020-10600, and

• Use of out-of-range pointer offset may lead to remote code execution - CVE-2020-10645

NOTE: These are five of the ten vulnerabilities in the OSIsoft PI System that were reported by NCCIC-ICS earlier this week. The fact that this Rockwell Advisory was published on the same day as the NCCIC-ICS advisory indicates that there was pre-disclosure coordination between OSIsoft and Rockwell, good show.

Advantech Advisories

The Zero Day Initiative published advisories (see links below) describing two vulnerabilities in Advantech WebAccess Node. ZDI published the two advisories as 0-day notifications under their 120-day response rule. NCCIC-ICS was reported involved in the coordination of these vulnerabilities. The vulnerabilities were reported by Z0mb1E.

The two reported vulnerabilities are:

• DATACORE Stack-based Buffer Overflow Remote Code Execution Vulnerability - ZDI-20-654, and

• Incorrect Permission Assignment Privilege Escalation Vulnerability - ZDI-20-655

Schneider Updates

Schneider published an update for the Urgent/11 advisory that was originally published on August 11^th, 2019 and most recently updated on April 14^th, 2020. The new information includes updated mitigation information for:

• Modicon Network Option Switch,

• Modicon X80 - I/O Drop Adapters,

• Modicon Quantum 140 CRA,

• Modicon Quantum Head 140 CRP,

• Modicon Quantum Ethernet DIO network module - 140NOC78x00 (C),

• SCD6000 Industrial RTU, and

• Pro-face HMI -GP4000H/R/E Series

Schneider published an update for their Andover Continuum System advisory that was originally published on March 10^th, 2020 and most recently updated on April 14^th, 2020. The new information includes minor updates to overview, vulnerability details, and product information for clarification.

Schneider published an update for their Embedded Web Servers for Modicon advisory that was originally published in November 2018 and most recently updated November 27^th, 2019. The new information includes a corrected CVSS vector for CVE-2018-7812.

Schneider published an update for their Modicon Controllers advisory that was originally published on May 14^th, 2019 and most recently updated on December 10^th, 2019. The new information includes updated fix version information for CVE-2018-7857.

Schneider published an update for their Legacy Triconex advisory that was originally published on April 14^th, 2020. Unfortunately, the link on the Schneider web site takes one to the original version of the advisory.

Siemens Update

Siemens published an update for their GNU/Linux advisory that was originally published on November 27^th, 2018 and most recently updated on April 14^th, 2020. The new information includes the addition of the following CVE’s:

• CVE-2019-9674,

• CVE-2019-18348,

• CVE-2019-20636,

• CVE-2020-8492,

• CVE-2020-11565,

• CVE-2020-11655, and

• CVE-2020-11656

Public ICS Disclosures – Week of 04-11-20

This week we have five vendor disclosures for products from Schneider (4) and OPC Foundation. We also have nine updated advisories for products from Schneider (4) and Siemens (5).

Schneider Advisories

Schneider published an advisory describing an injection vulnerability in their Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic products. The vulnerability was reported by Seok Min Lim and Johnny Pan of Trustwave. Schneider has updated software and firmware that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two vulnerabilities in their Modicon M218/M241/M251/M258 Logic Controllers, SoMachine & SoMachine Motion, and EcoStruxure Machine Expert products. The vulnerabilities were reported by Rongkuan Ma, Shunkai Zhu and Peng Cheng of 307Lab. Schneider has new versions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Insufficient verification of data authenticity - CVE-2020-7487; and

• Clear-text transmission of sensitive data - CVE-2020-7488

Schneider published an advisory describing an untrusted search path vulnerability in their Vijeo Designer and Vijeo Designer Basic Software products. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing four vulnerabilities in their legacy Triconex product. These vulnerabilities are self-reported. Schneider reports that newer versions corrected the vulnerabilities.

The four reported vulnerabilities are:

• Password vulnerability (2) - CVE-2020-7483 and CVE-2020-7484;

• Improper access - CVE-2020-7485; and

• Denial of service - CVE-2020-7486

OPC Foundation Advisory

OPC published an advisory describing an malformed message vulnerability in their UA .NET Standard Stack. The vulnerability was reported by Steven Seeley (mr_me) and Chris Anastasio (muffin) via the Zero Day Initiative. OPC has updates available that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Updates

Schneider has published an update for their Urgent/11 advisory that was originally published on August 2^nd, 2019 and most recently updated on March 11^th, 2020. The new information includes updated mitigation information for:

• ION7400 MID; and

• PM8000 MID

Schneider has published an update for their Modicon Controllers advisory that was originally published on November 12^th, 2019. The new information includes the addition of a new hard-coded credentials vulnerability - CVE-2019-6859.

Schneider has published an update for their Andover Continuum advisory that was originally published on March 10^th, 2020. The updated information includes an explanation that the code injection vulnerability is a third-party MS-XML library vulnerability.

Schneider has published an update for their Modicon Controllers advisory that was originally published on December 10^th, 2019. The updated information includes:

• Adding Modicon M340 and M580 to affected product list;

• Adding a hotfix link and adding further details to the mitigation measures;

• Adding updated firmware links; and

• Adding Enrique Murias Fernández of Tecdesoft Automation to the acknowledgements.

Siemens Updates

Siemens published an update for an advisory for Intel CPUs that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET 200SP Open Controller CPU 1515SP PC2.

Siemens published an update for an advisory for Industrial Products that was originally published on January 14^th, 2020. The new information includes explicitly mentioning old versions of SIMATIC NET.

Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27^th, 2018 and most recently updated on February 11^th, 2020. The new information includes adding the following new vulnerabilities:

• CVE-2015-5895;

• CVE-2019-19447;

• CVE-2019-19603;

• CVE-2019-19645,

• CVE-2019-19646;

• CVE-2019-19880;

• CVE-2019-19923;

• CVE-2019-19924;

• CVE-2019-19925;

• CVE-2019-19926;

• CVE-2019-19959;

• CVE-2019-20218;

• CVE-2020-8428;

• CVE-2020-8492;

• CVE-2020-9327;

• CVE-2020-10029; and

• CVE-2020-10942

Siemens published an update for their SIMATIC advisory that was originally published on July 30^th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: ICS-CERT published advisory ICSA-12-212-02 covering this vulnerability, but has not yet updated (and may not update) that advisory.

Siemens published an update for their SIMATIC advisory that was originally published on July 30^th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: This advisory was lumped into the ICS-CERT advisory described above.

9 Advisories and 5 Updates – 4-14-20

Yesterday the CISA NCCIC-ICS published nine control system security advisories for products from Siemens (6), Triangle MicroWorks (2) and Eaton. They also published updates for five advisories for products from Siemens.

TIM Advisory

This advisory describes an active debug code vulnerability in the Siemens TIM communication modules. This vulnerability was self-reported. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker with network access to gain full control over the device.

KTK Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens KTK, SIDOOR, SIMATIC, and SINAMICS products. This vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, Interniche OS, SegmentSmack vulnerability.

SCALANCE Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SCALANCE and SIMATIC products. This vulnerability is self-reported. Siemens provided generic work arounds while they continue to work on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, VX Works OS, SegmentSmack vulnerability.

SIMOTICS Advisory

This advisory describes a business logic error vulnerability in the Siemens SIMOTICS, Desigo, APOGEE, and TALON products. The vulnerability was self-reported. Siemens provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit this vulnerability to allow an attacker to affect the availability and integrity of the device.

Industrial Devices Advisory

This advisory describes two vulnerabilities in the Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC and SINEMA products. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2018-5390; and

• Improper input validation - CVE-2018-5391

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  to affect the availability of the devices under certain conditions.

NOTE: This is the third-party, Linux OS, SegmentSmack vulnerability.

Climatix Advisory

This advisory describes two vulnerabilities in the Siemens Climatix product line. The vulnerability was reported by Ezequiel Fernandez from Dreamlab Technologies. Siemens has provided generic workarounds.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7574; and

• Basic XSS - CVE-2020-7575

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute arbitrary code to access confidential information without authentication.

TMW SCADA Advisory

This advisory describes three vulnerabilities in the Triangle Microworks (TMW) SCADA Data Gateway. The vulnerabilities were reported by Incite Team of Steven Seeley and Chris Anastasio, and Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi via the Zero Day Initiative. TMW has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10615;

• Out-of-bounds read - CVE-2020-10613; and

• Type confusion - CVE-2020-10611

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code and disclose on affected installations of Triangle Microworks SCADA Data Gateway with DNP3 Outstation channels. Authentication is not required to exploit these vulnerabilities.

TMW DNP3 Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Triangle Microworks DNP3 Outstation Libraries. The vulnerability was reported by Incite Team of Steven Seeley and Chris Anastasio via ZDI. TMW has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to stop the execution of code on affected equipment.

Eaton Advisory

This advisory describes two vulnerabilities in the Eaton HMiSoft VU3. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via ZDI. The HMiSoft VU3 has reached end-of-life and is no longer supported by Eaton.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10639; and

• Out-of-bounds read - CVE-2020-10637

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to crash the device being accessed and may allow remote code execution or information disclosure.

Industrial Products Update

This update provides additional information for an advisory that was originally published on September 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for ROX II.

PROFINET Update

This update provides additional information for an advisory that was originally published on October 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET200MP IM155-5 PN HF.

TIA Portal Update

This update provides additional information for an advisory that was originally published on January 14^th, 2020. The new information includes updated version information and mitigation links for TIA Portal V16.

SIMATIC PCS 7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC WinCC (TIA Portal) V16.

SIMATIC S7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes adding SIMATIC WinAC RTX to the list of affected products.

Other Siemens Updates

Siemens also updated five other advisories yesterday. I expect that NCCIC-ICS will address at least two of these, probably later this week.