Review – 4 Advisories Published – 8-31-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Digi International, PTC, GE Digital, and ARDEREG.

Advisories

Digi Advisory - This advisory describes a use of password hash instead of password for authentication vulnerability in the Digi RealPort Protocol.

PTC Advisory - This advisory describes four vulnerabilities in the PTC Kepware KepServerEX.

GE Advisory - This advisory describes a process control vulnerability in the GE CIMPLICITY 2023 product.

ARDEREG Advisory - This advisory describes an SQL injection vulnerability in the ARDEREG Sistemas SCADA.

 

For more details on these advisories, including links to researcher reports and a down-the-rabbit-hole look at the Digi advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-8-31-23 - subscription required.

Review – Public ICS Disclosures – Week of 12-17-22

This week we have an OpenSSL 3.0 disclosure from Palo Alto Networks. There are nine vendor disclosures from Dahua, Dell, DIGI, Hikvision, HPE, Microchip, Motorola Solutions, TandD, and Western Digital. Finally, there is a vendor update from Siemens.

OpenSSL. 3.0

Palo Alto Networks published an advisory discussing the OpenSSL 3.0 vulnerabilities.

Vendor Disclosures

Dahua Advisory - Dahua published an advisory that describes twelve vulnerabilities in a variety of Dahua products.

Dell Advisory - Dell published an advisory that describes nine vulnerabilities (includes 3 third-party vulnerabilities) in their Wyse Management Suite. 

DIGI Advisory - DIGI published an advisory that discusses the FragAttack vulnerabilities.

Hikvision Advisory - Hikvision published an advisory that describes an access control vulnerability in their wireless bridge products.

HPE Advisory #1 - HPE published an advisory that directory traversal vulnerability in their OfficeConnect 1820, and 1850 Switch Series.

HPE Advisory #2 - HPE published an advisory that describes a data injection vulnerability in their Superdome Flex and Superdome Flex 280 Servers.

Microchip Advisory - Microchip published an advisory that discusses the Blue's Clues vulnerabilities.

NOTE: Watch Blue’s Clues (sorry, I could not help myself), cute name and everything. It looks like this will be a major issue for Bluetooth enabled devices, particularly medical devices.

Motorola Advisory - Motorola published an advisory discussing the Fortinet buffer overflow vulnerability.

TandD Advisory - TandD published an end of support notice for products operating on Windows 7 and Windows 8 platforms.

Western Digital Advisory - Western Digital published an advisory describing an information disclosure vulnerability in their My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices.

Vendor Updates

Siemens Update - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on December 13^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-349-14) for the new information.

 

For more details about these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-f5b - subscription required.

Review – 1 Advisory and 1 Update Published – 8-4-22

Today CISA’s NCCIC-ICS published a control system security advisory for products from Digi International. They also updated an advisory for products from Inductive Automation.

 

Digi Advisory - This advisory describes an execution with unnecessary privileges vulnerability in the Digi ConnectPort X2D Gateway.

Inductive Automation Update - This update provides additional information on an advisory that was originally published on July 26^th, 2022.

NOTE: The Inductive Automation blog provides an interesting discussion about how the vulnerability can be exploited.

 

For more details on the advisory and update, as well as a down-the-rabbit-hole look at changes in affected version numbers, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-1-update-published-62d   - subscription required.

Review - 23 Advisories Published – 9-14-21

Today CISA’s NCCIC-ICS published 23 advisories for products from Siemens (20), Schneider, Johnson Controls and Digi.

They also published 22 updates, but I will address those in a subsequent article. Siemens published an additional four new advisories today, and Schneider published three other new advisories today. I will address all seven of them this weekend in my ‘Public ICS Disclosure’ blog post.

SIMATIC Advisory #1 - This advisory describes an incorrect authorization vulnerability in the Siemens SIMATIC, TIM products.

Teamcenter Advisory #1 - This advisory describes a path traversal vulnerability in the Siemens Teamcenter Active Workspace.

Industrial Edge Advisory - This advisory describes an authorization bypass through user controlled key vulnerability in the Siemens Industrial Edge Management.

LOGO! Advisory #1 - This advisory discusses two vulnerabilities in the Siemens LOGO! CMR2020, LOGO! CMR2040 and SIMATIC RTU 3000 family.

SINEMA Advisory #1 - This advisory describes six vulnerabilities in the Siemens SINEMA Remote Connect Server.

Siveillance Advisory - This advisory describes an OS command injection vulnerability in the Siemens Siveillance OIS Building Management Systems products.

Desigo Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Siemens Desigo CC Family.

SIPROTEC Advisory #1 - This advisory describes an improper input validation vulnerability in the Siemens SIPROTEC 5 relays.

SIMATIC Advisory #1 - This advisory describes an improper operation within the bounds of a memory buffer vulnerability in the Siemens SIMATIC NET CP Modules.

SINEC Advisory - This advisory describes two vulnerabilities in the Siemens SINEC network management system (NMS).

LOGO! Advisory #2 - This advisory describes a use of insufficiently random values vulnerability in the Siemens LOGO! CMR, SIMATIC RTU 3000.

SINEMA Advisory #2 - This advisory describes a missing authentication for critical function vulnerability in the Siemens SINEMA Server.

SIMATIC Advisory #2 - This advisory describes an out-of-bounds write vulnerability in the Siemens SIMATIC RFID terminals.

SIPROTEC Advisory #2 - This advisory describes two classic buffer overflow vulnerabilities in the Siemens SIPROTEC 5 relays.

NX Advisory - This advisory describes two vulnerabilities in the Siemens NX product.

Teamcenter Advisory #2 - This advisory describes a path traversal vulnerability in the Siemens Teamcenter Active Workspace. The vulnerability is self-reported. (Appears to be a duplicate advisory.)

Apogee Advisory - This advisory describes a classic buffer overflow vulnerability in the Siemens APOGEE and TALON direct digital controls.

SIMATIC Advisory #3 - This advisory describes a clear-text storage of sensitive information vulnerability in the Siemens SIMATIC CP 1543-1 (incl. SIPLUS variants) and SIMATIC CP 1545-1 products.

Simcenter Advisory #1 - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.

Simcenter Advisory #2 - This advisory describes an out-of-bounds read vulnerability in the Siemens Simcenter Femap simulation application.

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider Struxureware Data Center Expert.

Johnson Controls Advisory - This advisory describes an authentication bypass by capture-replay in the Johnson Controls KT-1 door controller.

For more details on these advisories, including links to vendor advisories, third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/23-advisories-published-9-14-21 - subscription required.

13 Advisories and 5 Updates Published – 2-11-20

Today the CISA NCCIC-ICS published 13 control system security advisories for products from Synergy Systems and Solutions, Digi International and Siemens (11). They also updated five control system security advisories for products from Siemens.

Synergy Systems Advisory

This advisory describes two vulnerabilities in the SSS HUSKY RTU. The vulnerabilities were reported by VAPT Team, C3i Center. SSS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2019-20046; and

• Improper input validation - CVE-2019-20045

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read sensitive information, execute arbitrary code, or cause a denial-of-service condition.

Digi Advisory

This advisory describes two vulnerabilities in the Digi ConnectPort LTS 32 MEI. The vulnerabilities were reported by Murat Aydemir and Fatih Kayran of Biznet Bilisim. Digi has a new release that mitigates the vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-6975; and

• Cross-site scripting - CVE-2020-6973

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to limit system availability.

SIPROTEC Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact. The vulnerability was reported by Tal Keren from Claroty. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct a denial-of-service attack over the network.

SIMATIC S7-1500 Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7-1500 CPU family. The vulnerability is self-reported. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct denial-of-service attacks.

SCALANCE S-600 Advisory

This advisory describes three vulnerabilities in the Siemens SCALANCE S-600 Firewall. One of the vulnerabilities was reported by Melih Berk Ekşioğlu. Siemens has provided generic workarounds to mitigate the vulnerability.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2019-6585; and

• Uncontrolled resource consumption (2) - CVE-2019-13925 and CVE-2019-13926

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct denial-of-service or cross-site scripting attacks. User interaction is required for a successful exploitation of the cross-site-scripting attack.

OZW Web Server Advisory

This advisory describes and information disclosure vulnerability in the Siemens OZW web server. The vulnerability was reported by Maxim Rupp. Siemens has a new version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow unauthenticated users to access project files.

SIPORT Advisory

This advisory describes an insufficient logging vulnerability in the Siemens SIPORT MP. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow the attacker to create special accounts with administrative privileges.

SCALANCE Advisory

This advisory describes a protection mechanism failure vulnerability in the Siemens SCALANCE X switches. The vulnerability is self-reported. Siemens has updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to perform administrative actions.

SIMATIC PCS 7 Advisory

This advisory describes an incorrect calculation of buffer size vulnerability in the Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC NET PC products. The vulnerability was reported by Nicholas Miles from Tenable. Siemens has new versions that mitigate the vulnerability. There is no indication that Miles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker with network access to cause a denial-of-service condition.

SIMATIC S7 Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7 devices. The vulnerability was reported by China Industrial Control Systems Cyber Emergency Response Team. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote attackers to perform a denial-of-service attack by sending a specially crafted HTTP request to the web server of an affected device.

PROFINET Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens PROFINET-IO Stack. The vulnerability was reported by Yuval Ardon and Matan Dobrushin of OTORIO. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to lead to a denial-of-service condition.

NOTE: OTORIO reports that this same vulnerability is found in multiple vendor products including the Moxa EDS Ethernet Switches.

SIMATIC CP Advisory

This advisory describes two vulnerabilities in the Siemens SIMATIC CP 1543-1. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improper access control - CVE-2019-12815; and

• Loop with unreachable exit condition - CVE-2019-18217

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution and information disclosure without authentication, or unauthenticated denial of service.

Industrial Products Advisory

This advisory describes two vulnerabilities in the Siemens SCALANCE, SIMATIC, SIPLUS products. The vulnerabilities were reported by Artem Zinenko of Kaspersky Lab. Siemens has new versions that mitigate the vulnerabilities. There is no indication that Zinenko has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Data processing errors - CVE-2015-5621; and

• Null pointer dereference - CVE-2018-18065

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote attackers to conduct a denial-of-service attack by sending specially crafted packets to Port 161/UDP (SNMP).

SIMOCODE Update

This update provides additional information on an advisory that was originally published on March 9th, 2019 and most recently updated on January 14^th, 2020. The new information includes the addition of two affected products:

• SITOP PSU8600; and

• TIM 1531 IRC

Industrial Products w/OPC UA Update

This update provides additional information on an advisory that was originally published on April 9th, 2019 and most recently updated on January 14^th, 2020. The new information includes updated affected version data and mitigation links for SIMATIC NET PC Software.

PROFINET Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on January 14^th, 2020. The new information includes updated affected version data and mitigation links for SINAMICS DCP.

Industrial Real Time Devices Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on January 14^th, 2020. The new information includes updated affected version data and mitigation links for SINAMICS DCP.

SIMATIC Update

This update provides additional information on an advisory that was originally published on December 10th, 2019. The new information includes updated affected version data and mitigation links for:

• TIM 1531 IRC;

• SIMATIC NET PC Software

Other Siemens Advisories and Updates

Siemens also published two additional advisories and 3 updates yesterday that have not yet been addressed by NCCIC-ICS.

Additionally, on Monday Siemens published updates of 58 previously published advisories. All of these updates were adding references to the SIPLUS device variants as affected products. Siemens has been adding references to this as they have been updating advisories for the last couple of months, so it looks like they are just doing the final house cleaning on the issue. I do not expect NCCIC-ICS to update all of their applicable advisories.

ICS-CERT Publishes Digi HeartBleed Advisory

Earlier today the DHS ICS-CERT published an advisory for the HeartBleed vulnerability in various products from Digi. I discussed most of this information in my last HeartBleed post. New information: ICS-CERT reports that firmware updates are available “for most vulnerable Digi International devices”, but does not provide a list. The link provided takes one to a generic product support page where you enter your product name or select a key word to search for; neither HeartBleed nor OpenSSL are available terms.

ICS-CERT is again publishing a HeartBleed advisory without updating their Situational Awareness Alert. I almost don’t blame them as they would be quickly going to have to go to double letters to identify new updates if they updated the SA every time new information became available.

It would probably have been better to have had a HeartBleed web page to keep updating with new information on vulnerable, formerly vulnerable, and not vulnerable ICS products. Joel Langill over at SCADAHacker.com takes that type of approach. He is currently listing two ‘new’ ICS related vendors, Certes Networks and Unified Automation, as having products with HeartBleed vulnerabilities.

A reader of this blog, Rob Hulsebos, posted a comment on the LinkedIn Cyber Security in Real Time Systems group providing links to HeartBleed information for Emerson, and Insys.

There is probably more ICS HeartBleed information out there if you have the time to search. It sure would be nice if ICS-CERT were doing that for the community.

ICS-CERT Publishes 2 HeartBleed Updates and an Advisory

This afternoon the DHS ICS-CERT published updates on a Siemens HeartBleed Advisory, an update of their SA Alert on HeartBleed and one new advisory for an Ecava information disclosure vulnerability.

HeartBleed Updates

My followers on TWITTER® already heard about the Siemens update last Friday morning when Siemens @ProductCert tweeted about the publication of their updated HeartBleed advisory that included notification that their WinCC product now has an update available to fix the HeartBleed bug in that system.

ICS-CERT published their late update of the HeartBleed advisory that they issued on April 15^th. The ICS-CERT Situational Awareness Alert was updated to show the new Siemens status. It also adds two new affected industrial control system notifications, one for ABB (Relion 650 series Ver. 1.3.0) and one for Digi (ConnectPort LTS, ConnectPort X2e, Digi Embedded Linux, and Wireless Vehicle Bus Adapter). Separate advisories are in the works. The links above are for the vendor notices.

The ABB mitigation measures are still under development and the Digi updates may already be available (the document was published on 4-18-14 with an availability date for the fix of 4-21-14). Digi is making the remote update service for remote devices available free of charge for 30 days.

ICS-CERT also added a list of Digi devices to the list of unaffected ICS services. This was also found on the Digi web site link identified above.

Ecava Advisory

This advisory reports on an information disclosure vulnerability on the Ecava IntegraXOR product that was reported by Andrea Micalizzi, aka rgod, in a coordinated disclosure via the Zero Day Initiative. Ecava has produced a new version that mitigates the vulnerability, but there is no indication in the advisory that Micalizzi has verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to obtain clear text administrative credentials and own the system.

The Ecava vulnerability note provides additional mitigation measures that can be employed to mitigate the vulnerability until the patch is put into place. They note that since the complete project URL is need to exploit this vulnerability, owner/operators should avoid publication of the full URL. They also recommend avoiding the use of the default port number.