Today the CISA NCCIC-ICS published eight control system
security advisories for products from Siemens (6), Moxa and Advantech. They also
published one medical device security advisory for products from Capsule
Technologies.
NOTE: NCCIC-ICS also published 12 updates, but I will not
try to get a report done on those this evening. Look for it tomorrow morning
Logo Advisory
This advisory describes
a classic buffer overflow vulnerability in the Siemens LOGO! Web Server. The
vulnerability was reported by Alexander Perez-Palma and Dave McDaniel from
Cisco Talos and Emanuel Almeida from Cisco Systems. Siemens has new versions
that mitigate the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow remote code execution..
Opcenter Advisory
This advisory describes
three vulnerabilities in the Seiemens Opcenter Execution Core. The vulnerabilities
are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
• Cross-site scripting - CVE-2020-7576,
• SQL injection - CVE-2020-7577,
and
• Improper access control - CVE-2020-7578
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to obtain
session cookies, read and modify application data, read internal information,
and perform unauthorized changes. Should the attacker gain access to the
session cookies, they could then hijack the session and perform arbitrary
actions in the name of the victim.
SIMATIC S7 Advisory
This advisory describes
an uncontrolled resource consumption vulnerability in the Siemens SIMATIC
S7-200 SMART CPU family. The vulnerability was reported by Ezequiel Fernandez.
Siemens has a new version that mitigates the vulnerability. There is no
indication that Fernandez has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to cause a
denial-of-service condition.
UMC Stack Advisory
This advisory describes
three vulnerabilities in the Siemens UMC Stack. The vulnerabilities were reported
by Victor Fidalgo of INCIBE and Reid Wightman of Dragos. Siemens has new
versions that mitigate the vulnerabilities. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Unquoted search path or element -
CVE-2020-7581,
• Uncontrolled resource consumption
- CVE-2020-7587, and
• Improper input validation - CVE-2020-7588
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to cause a
partial denial-of-service condition on the UMC component of the affected
devices under certain circumstances. This could also allow an attacker to
locally escalate privileges from a user with administrative privileges to
execute code with SYSTEM level privileges.
SIMATIC HMI Advisory
This advisory describes
a cleartext transmission of sensitive information in the Siemens SIMATIC HMI
Panels. The vulnerability was reported by Richard Thomas and Tom Chothia of the
University of Birmingham.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to access
sensitive information under certain circumstances.
SICAM Advisory
This advisory describes
nine vulnerabilities in the Seimens SICAM MMU, SICAM T and SICAM SGU products.
The vulnerabilities were reported by Luca Simbürger, Luca Hofschuster, Lukas
Kahnert, Jakob Lachermeier, Christian Costa, Simon Huber, Lukas Sas Brunschier,
Florian Freiberger, Florian Burger, Marie-Louise Oostveen, Magdalena Thomeczek,
and Johann Uhrmann from Landshut University of Applied Sciences and Max
Hirschberger, Simon Hofmann, and Peter Knauer from Augsburg University of
Applied Sciences. Siemens has updates that mitigate the vulenrabilites. There
is no indication that researchers have been provided an opportunity to verify
the efficacy of the fix.
The nine reported vulnerabilities are:
• Out-of-bounds read - CVE-2020-10037,
• Missing authentication for
critical function - CVE-2020-10038,
• Missing encryption of sensitive
data - CVE-2020-10039,
• Use of password has with
insufficient computational effort - CVE-2020-10040,
• Cross-site scripting - CVE-2020-10041,
• Classic buffer overflow - CVE-2020-10042,
• Basic XSS - CVE-2020-10043, and
• Authentication bypass by capture
replay - CVE-2020-10045
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to allow an attacker to affect the
availability, read sensitive data, and gain remote code execution on the
affected devices.
Moxa Advisory
This advisory describes
a stack-based buffer overflow in the Moxa EDR-G902 and EDR-G903 Series Routers.
The vulnerability was reported by Tal Keren of Claroty. Moxa has a firmware patch
that mitigates the vulnerability. There is no indication that Keren has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to crash the device being accessed; a buffer
overflow condition may allow remote code execution.
NOTE 1: NCCIC-ICS did not publish a link to the Moxa
advisory.
NOTE 2: I briefly
discussed this vulnerability last month.
Advantech Advisory
This advisory describes
six vulnerabilities in the Advantech iView device management application. The vulnerabilities
were reported by rgod via the Zero Day Initiative. Advantech has a new version
that mitigates the vulnerability. There is no indication that rgod has been
provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities are:
• SQL injection - CVE-2020-14497,
• Path traversal - CVE-2020-14507,
• Command injection - CVE-2020-14505,
• Improper input validation - CVE-2020-14503,
• Missing authentication for critical
function - CVE-2020-14501, and
• Improper access control -CVE-2020-14499
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to read/modify
information, execute arbitrary code, limit system availability, and/or crash
the application.
Capsule Technologies Advisory
This advisory describes
protection mechanism failure in the Capsule Technologies SmartLinx Neuron 2 medical
device platform. The vulnerability was
reported by Patrick DeSantis of Cisco Talos (NOTE: Talos report includes
exploit code). Capsule Technologies has a new version that mitigates the vulnerability.
There is no indication that DeSantis has been provided an opportunity to verify
the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could use publicly available code to exploit the vulnerability to provide an
attacker with full control of a trusted device on a hospital’s internal
network.
Posts
