Review - Public ICS Disclosures – Week of 6-5-21 – Part 2

This week we have four vendor disclosures from Schneider Electric. There are also six updates available for advisories from Schneider (4) and Siemens (2). Finally, we have a research report for vulnerabilities in three message broker applications.

Schneider Advisories

Schneider published an advisory describing two vulnerabilities in their PowerLogic PM55xx and PowerLogic PM8ECC products.

Schneider published an advisory describing six vulnerabilities in their PowerLogic EGX100 and EGX300 products.

Schneider published an advisory discussing the ISaGRAF vulnerabilities in their IEC 61131-3 Programming and Engineering Tools.

Schneider published an advisory describing an improper privilege management vulnerability in their Enerlin'X Com’X 510 product.

Schneider Updates

Schneider published an update for their EcoStruxure™ Machine Expert advisory that was originally published on May 11^th, 2021.

Schneider published an update for their C-bus Toolkit advisory that was originally published on April 15, 2021.

Schneider published an update for their PLC Simulator advisory that was originally published on November 10^th, 2020.

Schneider published an update for their Modicon Controllers advisory that was originally published on May 18^th, 2019.

Siemens Updates

Siemens published an update for the Industrial Software advisory that was originally published on July 9^th, 2020 and most recently updated on March 9^th, 2021.

Siemens published an update for their Industrial PCs advisory that was originally published on May 11^th, 2021.

Researcher Report

Synopsys Cybersecurity Research Center published a report describing separate denial of service vulnerabilities in three message broker applications used in many IoT communications processes.

For more detailed information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-794 (subscription required)

6 Advisories Published – 10-13-20

Today the CISA NCCIC-ICS published six control system security advisories for products from Siemens (2), Fieldcomm Group, Flexera, LCDS, and Moxa.

SIPORT Advisory

This advisory describes a use of client-side authentication vulnerability in the Siemens SIPORT MP access control system. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an authenticated attacker to impersonate other users of the system and perform (potentially administrative) actions on behalf of those users if the single sign-on feature (“Allow logon without password”) is enabled.

Desigo Advisory

This advisory describes three vulnerabilities in the Siemens Desigo Insight product. The vulnerabilities were reported by Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, and Massimiliano Brolli from TIM Security Red Team Research. Siemens has a ‘hotfix’ available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• SQL injection - CVE-2020-15792,

• Improper restriction of rendered UI layers or frames - CVE-2020-15793, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15794

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to retrieve or modify data and gain access to sensitive information.

Fieldcomm Group Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fieldcom HARP-IP Developer kit. The vulnerability was reported by Reid Wightman from Dragos, Inc. Fieldcomm has a new version for one of the affected products that mitigates the vulnerability. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

Flexera Advisory

This advisory describes an untrusted search path vulnerability in the Flexera InstallShield product. The vulnerability was reported by an anonymous researcher. Flexera will only provide mitigation measures and work arounds to registered owners.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow execution of a malicious DLL.

NOTE: This vulnerability was reported by Flexera in 2016, so why is NCCIC-ICS reporting this now? Both IBM (Tivoli Storage Manager) and Tenable (Nessus Network Monitor) have issued advisories covering this as a third-party vulnerability in 2016 and 2019 respectively. I suspect that there are other vendors that also use InstallShield that may be unaware of the vulnerability or may not have addressed it.

LCDS Advisory

This advisory describes an out-of-bounds read vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

Moxa Advisory

This advisory describes six vulnerabilities in the Moxa NPort IAW5000A-I/O Series integrated serial device server. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has an updated firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation - CVE-2020-25198,

• Improper privilege management - CVE-2020-25194,

Weak password requirements - CVE-2020-25153,

• Cleartext transmission of sensitive information - CVE-2020-25190,

• Improper restriction of excessive authorization attempts - CVE-2020-25196, and

• Exposure of sensitive information to unauthorized actor - CVE-2020-25192

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain access to and hijack a session; allow an attacker with user privileges to perform requests with administrative privileges; allow the use of weak passwords; allow credentials of third-party services to be transmitted in cleartext; allow the use of brute force to bypass authentication on an SSH/Telnet session; or allow access to sensitive information without proper authorization.

NOTE: I briefly described these vulnerabilities back in August. Moxa has updated their advisory to list the CVE numbers assigned by NCCIC-ICS.

Siemens Updates

NCCIC-ICS also published four Siemens updates today. I will cover them in a post tomorrow.

1 Advisory Published – 7-23-20

Yesterday the CISA NCCIC-ICS published a control system security advisory for products from Schneider Electric.

Schneider Advisory

This advisory describes five vulnerabilities in the Schneider Triconex TriStation and Triconex Tricon Communication Module. The vulnerabilities were reported by Reid Wightman of Dragos, Inc. Schneider has new versions that mitigate the vulnerabilities and has pushed notification to customers.

The five reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2020-7483,

• Uncontrolled resource consumption - CVE-2020-7484 and CVE-2020-7486,

• Hidden functionality - CVE-2020-7485, and

• Improper access control - CVE-2020-7491

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to view clear text data on the network, cause a denial-of-service condition, or allow improper access.

Public ICS Disclosures – Week of 5-30-20

This week we have three vendor disclosures from Phoenix Contact, PEPPERL+FUCHS and SICK plus an update of a previous vendor disclosure from Johnson Controls.

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing a buffer overflow vulnerability in the Linux Point-to-Point Protocol (PPP) daemon in their FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT devices. The vulnerability is apparently being self-reported. Phoenix Contact has firmware versions that mitigate the vulnerability.

NOTE: this is the same vulnerability, CVE-2020-8597, reported the week before by Belden.

PEPPERL+FUCHS Advisory

CERT VDE published an advisory describing two vulnerabilities in the PEPPERL+FUCHS PACTware. The vulnerabilities were reported by Reid Wightman of Dragos, Inc. PEPPERLY+FUCHS has new versions that mitigate the vulnerabilities. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Storing passwords in recoverable format - CVE-2020-9403, and

• Unverified password change - CVE-2020-9404

SICK Advisory

SICK published an advisory describing a profile programming vulnerability in their bar code scanners. The vulnerability was reported by Ruben Santamarta of IOActive. SICK provides a workaround to mitigate the vulnerability.

NOTE: This is another ‘a feature is a vulnerability’ situation. These barcode scanners can be ‘programed’ by the barcodes that they scan. Thus, substituting a malicious bar code can upset the system to which the scanner is attached. The fix is to disable the feature.

Johnson Controls Update

Johnson Controls published an update for an advisory that was originally published on May 21^st, 2020 and most recently updated on May 29^th, 2020. The new information includes a minor modification to the mitigation instruction for American Dynamics victor Video Management System v5.2 (change “Securely delete the installer log file…” to “Delete the installer log file…”).

The NCCIC-ICS published their advisory on these vulnerabilities (ICSA-20-142-01), but has not yet addressed any of the Johnson Controls updates.

Public ICS Disclosures -Week of 4-4-20

This week we have three vendor disclosures for products from B&R Automation, Moxa and Rockwell Automation. There are also two sets of researcher reports for products from Advantech and Universal Robots.

B&R Advisory

B&R published an advisory describing three vulnerabilities in their Automation Studio. The vulnerabilities were reported by Yehuda Anikster and Amir Preminger from Claroty. B&R has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Privilege escalation – CVE-2019-19100;

• Incomplete communication encryption and validation CVE-2019-19101;

• Zip Slip vulnerability (third-party vulnerability) CVE-2019-19102

Moxa Advisory

Moxa published an advisory on the kr00k vulnerability in their products. They report that none of their products are affected.

NOTE: Negative reports about 3^rd party vulnerabilities are just as important as reporting an active vulnerability in a product.

Rockwell Advisory

Rockwell published an advisory describing a file permission vulnerability in their Current Program Updater software. The vulnerability was reported by Reid Wightman from Dragos. Rockwell has new versions that mitigate the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

NOTE: Rockwell is reporting a 2017 CVE (CVE-2017-5176) for this vulnerability. That vulnerability was reported by ICS-CERT on March 21^st, 2017. If NCCIC-ICS were to pick up this advisory it would probably be as an update to that earlier advisory.

Advantech Reports

The Zero Day Initiative published five related reports (here, here, here, here, and here) for 0-day arbitrary file deletion vulnerabilities in the Advantech WebAccess program. The vulnerabilities were reported by Natnael Samson. ZDI reports that it has reported all five vulnerabilities to Advantech and ICS-CERT (their naming not mine) noting: “The vendor communicated that they will rely on existing measures and will add no amendments to the code.”

Universal Robots Reports

Aliasrobotics published four reports of vulnerabilities for products from Universal Robots. The vulnerabilities were reported by rvd-bot, bedieber and bbreilin. Aliasrobotics reportedly contacted Universal Robots about these vulnerabilities but has received no replies.

The four reported vulnerabilities are (links are to github pages which include proof-of-concept exploit code):

• Missing encryption of sensitive data - CVE-2020-10267;

• Missing authentication for critical function - CVE-2020-10265;

• Insufficient verification of data authenticity - CVE-2020-10266; and

• Exposure of sensitive information to unauthorized actor - CVE-2020-10264

Three Advisories Published – 05-02-19

Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Sierra Wireless, GE, and Orpak

Sierra Wireless Advisory

This advisory describes seven vulnerabilities in the Sierra Wireless AirLink ALEOS. The vulnerabilities were reported by Carl Hurd and Jared Rittle of Cisco Talos. Sierra Wireless reports that the latest version of ALEOS (not all yet available) mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• OS command injection - CVE-2018-4061;

• Use of hard-coded credentials - CVE-2018-4062;

• Unrestricted upload of file with dangerous type - CVE-2018-4063

• Cross-site scripting - CVE-2018-4065;

• Cross-site request forgery - CVE-2018-4066;

• Information exposure - CVE-2018-4067; and

• Missing encryption of sensitive data - CVE-2018-4069

The Talos web site lists six additional vulnerabilities (with exploits) {NOTE: the Sierra Wireless advisory (.PDF Download) explains these ‘vulnerabilities’}:

• Information exposure -  CVE-2018-4068;

• Unverified password change - CVE-2018-4064;

• Information disclosure (2) - CVE-2018-4070, CVE-2018-4071; and

• Permission assignment (2) - CVE-2018-4072, CVE-2018-4073

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to remotely execute code, discover user credentials, upload files, or discover file paths.

GE Advisory

This advisory describes five vulnerabilities in the General Electric Communicator. Reid Wightman of Dragos. GE has a new version that mitigates the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Uncontrolled search path (2) - CVE-2019-6564 and CVE-2019-6546;

• Hard-coded credentials - CVE-2019-6548; and

• Improper access controls (2) - CVE-2019-6544 and CVE-2019-6566

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges, manipulate widgets and UI elements, gain control over the database, or execute administrative commands.

Orpak Advisory

This advisory describes six vulnerabilities in the Orpak SiteOmat fuel management software. The vulnerabilities were reported by Ido Naor of Kaspersky Lab. Orpak has an update available that mitigates the vulnerability. This is no indication that Naor has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2017-14728;

• Cross-site scripting - CVE-2017-14850;

• SQL injection - CVE-2017-14851;

• Missing encryption of sensitive data - CVE-2017-14852;

• Code injection - CVE-2017-14853; and

• Stack-based buffer overflow - CVE-2017-14854

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits (NOTE: The exploits have been available for over one year) to remotely exploit these vulnerabilities to effect arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information.

Public ICS Disclosures – Week of 04-06-19

This week we have four vendor disclosures from WAGO, Bosch (2), and Schneider; and two vendor updates from Siemens.

WAGO Advisory

CERT-VDE published an advisory describing a use of hardcoded credentials vulnerability in the WAGO Series 750-88x and 750-87x devices. The vulnerability was reported by Jörn Schneeweisz of Recurity Labs. WAGO has firmware updates available that mitigate the vulnerability. There is no indication that Schneeweisz has been provided an opportunity to verify the efficacy of the fix.

NOTE: I suspect that NCCIC-ICS will publish an advisory on this vulnerability next week.

Bosch Advisories

Bosch published an advisory describing a buffer overflow vulnerability in the Bosch Security Systems Software for Video, PSIM and Access. This vulnerability is apparently self-reported. Bosch has software updates that mitigate the vulnerability.

Bosch published an advisory describing an improper access control vulnerability in the Bosch Security Systems Software for Video, PSIM and Access Control Systems. This vulnerability is apparently self-reported. Bosch has software updates that mitigate the vulnerability.

Schneider Advisory

Schneider published an advisory describing an externally controlled reference to a resource vulnerability in the Schneider Modbus Serial Driver. The vulnerability was reported by Reid Wightman of Dragos. Schneider has an updated driver that mitigates the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates

Siemens updated an advisory for Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. Siemens added a solution for SIMATIC HMI Panels V14.

NOTE: NCCIC-ICS will not update their advisory for this vulnerability since the link to the Siemens advisory will take one to the current version.

Siemens updated an advisory for Vulnerabilities in the additional GNU/Linux subsystem

of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. Siemens added CVE-2019-6293 to the list of vulnerabilities covered by this advisory.

NOTE: NCCIC-ICS has not published an advisories or alert on this family of Linux vulnerabilities.

ICS Advisory Study by Dragos

Yesterday I ran across an interesting infographic on LinkedIn that was produced by Dragos. It provided some provocative statistics about control system security advisories that were published in 2017. I am not a big fan of infographics; I prefer to look at the analysis that went into putting together the infographic. So, I asked for and received a link to the report from Dragos that actually includes the infographic.

I have generally been a fan of Dragos incident and vulnerability reporting, but I am disappointed in this report. The infographic has some tantalizing extracted information, but the full published report is little more than a series of bullet points that describes the information from the infographic. To tell the truth, I am not sure what came first, the infographic or the report.

The important information in the report is really summarized neatly by the two paragraph introduction by Reid Wightman. Unfortunately, the information supporting Reid’s comments is not very detailed and there is a total lack of specific examples that explicate the points that Reid makes. While I agree with Reid’s conclusions and almost all of the points raised in the report, it is not because of the in-depth reporting in this document. Rather I have seen what the report describes in my own perusal of ICS-CERT vulnerability reporting over the last ten years or so.

My major question about the reporting here is about the source of the data. According to the report the data is based upon the Dragos analysis of “163 vulnerability advisories

with an industrial control system (ICS) impact” that Dragos tracked in 2017. It is not clear if these were advisories produced by vendors or ICS-CERT. I am hoping that ICS-CERT advisories were the basis for the analysis, because those advisories at least have a commonality of terminology and an attempt at consistency of data presented. Furthermore, the ICS-CERT advisories for many vulnerabilities (particularly for the smaller vendors) are apparently the only real report for a large number of the advisories published by ICS-CERT.

If Dragos was relying on data from vendor vulnerability reports (and this would have certainly been a more chalenging analysis) then they have failed to acknowledge the disparity in the reporting efficacy of the different vendors. Major vendors (like Siemens, Rockwell, etc) do a much more complete job of reporting the kind of data that the Dragos’ report calls for. They should be commended for the efforts that they do take to produce useable (but still frequently flawed) vulnerability reports.

Two very important points are made in both the infographic and the report and they both deserve wide spread discussion. First, “85% of 2017 ICS-related vulnerabilities apply late in the kill chain and are not useful to gaining an initial foothold. If these vulnerabilities are exploited, it is likely the adversary has been active in the network for some time and already pivoted through various other systems”. Second, “61% of 2017 ICS-related vulnerabilities cause both a loss of view and a loss of control – likely causing severe operational impact”. What I would like to know, is what percentage of the vulnerabilities that could be useful to gain an initial foothold could lead to a loss of view and/or control. That is the type of information I was hoping to see in this Dragos report.

Do not get me wrong. Everyone in the ICS community should look at the infographic (which should certainly be shared with management outside of the immediate ICS environment) and read this report. Vendors should certainly take the reports recommendations to heart. I just wish that there had been a little more red-meat here.

Another ICS Attack in the Wild

It has not made the mainstream news yet, but today FireEye and Dragos are both reporting an attack on an industrial control system in an unnamed facility in Saudi Arabia. While the details being released are sketchy (paying customers are presumably getting more details), the important take-away from these two reports is that both organizations confirm that a successful attack (plant shutdown) was made on the safety-instrumented-system (SIS) at the facility.

For those readers with a good technical background, read the two reports noted above; these two organizations have a much better grasp of the technical details than I. For those with a less technical background read-on (and note: the mistakes of interpretation are mine).

Safety Instrumented Systems

For most automated manufacturing systems, if something really goes wrong with the system, then some product is messed up, maybe some workers get injured, or maybe someone gets killed; but the results are local. For some manufacturing systems, however, the consequences can be much larger and harder to control. Some chemical plants and nuclear power generation facilities come readily to mind.

For these types of automated facilities there is another (additional) type of control system that stands between normal operations and catastrophe, the Safety Instrumented System. These generally separate control systems rely on the fact that at some intermediate point between normal operations and catastrophe there is a point that, if the proper steps are taken in a timely manner, the process can be safety shut-down before catastrophe becomes inevitable and everyone has to run for the hills.

We used to rely on human operators to perform these emergency shutdowns. But, as processes became more complex and the paths to catastrophe became more numerous, it quickly became apparent that only automated control systems could be relied upon to recognize the burgeoning problem and take the appropriate timely actions necessary, each and every time. And safety instrumented systems were born.

At its most basic, a SIS consists of a computer, a limited number of sensor, and a limited number of process actuators (valves and such). The computer is programed to watch the sensor(s); if they reach certain value(s) then the actuator(s) are operated, and the process is safely terminated. The product is almost certainly bad, local equipment may be damaged, some cleanup and downtime will be required, but catastrophe will have been averted.

If the SIS fails, there is one final layer of protection that will help mitigate the resulting catastrophe. These are things like pressure relief valves, rupture disks, sprinkler systems, and spill control systems. Unfortunately, if these were truly effective responses to the catastrophic failure, then a SIS would not probably be employed. The SIS is a pain to design (each is a custom design), expensive to install and a maintenance problem. They are typically not employed if the worst-case scenario for a facility will be contained within the facility.

SIS Security

While industrial control system security has been problematic at best, SIS security is a slightly different story. Not because anyone was really concerned about hackers, but because no one wanted human error to get in the way of proper system operation. So, SIS were generally the last systems to be connected to any outside networks and most include the need for the operation of an actual, true-to-life physical key, to program the computer.

The SIS is placed in the program mode where it is programed, tested, and then placed in the stop mode with the key removed from the system. Before the hazardous process is started, the key in re-inserted, and the SIS is placed in the run mode and the key is again removed. The process is reversed when the hazardous process is over. This should be just about as good as it gets.

Unfortunately, someone again has proved that what man can secure, some other man can hack. Again, for details, read the two reports.

Take Away

DO NOT PANIC This is not the end of industrial control system safety. Who ever attacked this facility went to an awful lot of work. First to reverse engineer the SIS system involved, second to understand the process at the facility where this attack was initiated, and third to compromise the security at the facility to get the hack initiated. A lot of time, engineering and money (sounds like a nation-state to me) went into this attack and it failed. It screwed up and apparently unintentionally shutdown the process (safely) which ended up alerting the system owners to the apparent hack.

If you want to know how to protect your SIS, read either (better, both) reports, but there is really nothing new there. Isolate your SIS from the internet and other networks, secure access (physical and virtual) to the SIS equipment and follow SIS operations guidelines. And from me, train your operations personnel so that they fully understand the processes they control and listen to them when they report anomalous system behaviors.