9 Advisories Published – 7-14-20

Today the CISA NCCIC-ICS published eight control system security advisories for products from Siemens (6), Moxa and Advantech. They also published one medical device security advisory for products from Capsule Technologies.

NOTE: NCCIC-ICS also published 12 updates, but I will not try to get a report done on those this evening. Look for it tomorrow morning

Logo Advisory

This advisory describes a classic buffer overflow vulnerability in the Siemens LOGO! Web Server. The vulnerability was reported by Alexander Perez-Palma and Dave McDaniel from Cisco Talos and Emanuel Almeida from Cisco Systems. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow remote code execution..

Opcenter Advisory

This advisory describes three vulnerabilities in the Seiemens  Opcenter Execution Core. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7576,

• SQL injection - CVE-2020-7577, and

• Improper access control - CVE-2020-7578

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain session cookies, read and modify application data, read internal information, and perform unauthorized changes. Should the attacker gain access to the session cookies, they could then hijack the session and perform arbitrary actions in the name of the victim.

SIMATIC S7 Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC S7-200 SMART CPU family. The vulnerability was reported by Ezequiel Fernandez. Siemens has a new version that mitigates the vulnerability. There is no indication that Fernandez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to cause a denial-of-service condition.

UMC Stack Advisory

This advisory describes three vulnerabilities in the Siemens UMC Stack. The vulnerabilities were reported by Victor Fidalgo of INCIBE and Reid Wightman of Dragos. Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Unquoted search path or element - CVE-2020-7581,

• Uncontrolled resource consumption - CVE-2020-7587, and

• Improper input validation - CVE-2020-7588

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to cause a partial denial-of-service condition on the UMC component of the affected devices under certain circumstances. This could also allow an attacker to locally escalate privileges from a user with administrative privileges to execute code with SYSTEM level privileges.

SIMATIC HMI Advisory

This advisory describes a cleartext transmission of sensitive information in the Siemens SIMATIC HMI Panels. The vulnerability was reported by Richard Thomas and Tom Chothia of the University of Birmingham.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to access sensitive information under certain circumstances.

SICAM Advisory

This advisory describes nine vulnerabilities in the Seimens SICAM MMU, SICAM T and SICAM SGU products. The vulnerabilities were reported by Luca Simbürger, Luca Hofschuster, Lukas Kahnert, Jakob Lachermeier, Christian Costa, Simon Huber, Lukas Sas Brunschier, Florian Freiberger, Florian Burger, Marie-Louise Oostveen, Magdalena Thomeczek, and Johann Uhrmann from Landshut University of Applied Sciences and Max Hirschberger, Simon Hofmann, and Peter Knauer from Augsburg University of Applied Sciences. Siemens has updates that mitigate the vulenrabilites. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-10037,

• Missing authentication for critical function - CVE-2020-10038,

• Missing encryption of sensitive data - CVE-2020-10039,

• Use of password has with insufficient computational effort - CVE-2020-10040,

• Cross-site scripting - CVE-2020-10041,

• Classic buffer overflow - CVE-2020-10042,

• Basic XSS - CVE-2020-10043, and

• Authentication bypass by capture replay - CVE-2020-10045

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to affect the availability, read sensitive data, and gain remote code execution on the affected devices.

Moxa Advisory

This advisory describes a stack-based buffer overflow in the Moxa EDR-G902 and EDR-G903 Series Routers. The vulnerability was reported by Tal Keren of Claroty. Moxa has a firmware patch that mitigates the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

NOTE 1: NCCIC-ICS did not publish a link to the Moxa advisory.

NOTE 2: I briefly discussed this vulnerability last month.

Advantech Advisory

This advisory describes six vulnerabilities in the Advantech iView device management application. The vulnerabilities were reported by rgod via the Zero Day Initiative. Advantech has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• SQL injection - CVE-2020-14497,

• Path traversal - CVE-2020-14507,

• Command injection - CVE-2020-14505,

• Improper input validation - CVE-2020-14503,

• Missing authentication for critical function - CVE-2020-14501, and

• Improper access control -CVE-2020-14499

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application.

Capsule Technologies Advisory

This advisory describes protection mechanism failure in the Capsule Technologies SmartLinx Neuron 2 medical device platform. The vulnerability was reported by Patrick DeSantis of Cisco Talos (NOTE: Talos report includes exploit code). Capsule Technologies has a new version that mitigates the vulnerability. There is no indication that DeSantis has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code to exploit the vulnerability to provide an attacker with full control of a trusted device on a hospital’s internal network.

9 Advisories and 5 Updates – 4-14-20

Yesterday the CISA NCCIC-ICS published nine control system security advisories for products from Siemens (6), Triangle MicroWorks (2) and Eaton. They also published updates for five advisories for products from Siemens.

TIM Advisory

This advisory describes an active debug code vulnerability in the Siemens TIM communication modules. This vulnerability was self-reported. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker with network access to gain full control over the device.

KTK Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens KTK, SIDOOR, SIMATIC, and SINAMICS products. This vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, Interniche OS, SegmentSmack vulnerability.

SCALANCE Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SCALANCE and SIMATIC products. This vulnerability is self-reported. Siemens provided generic work arounds while they continue to work on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, VX Works OS, SegmentSmack vulnerability.

SIMOTICS Advisory

This advisory describes a business logic error vulnerability in the Siemens SIMOTICS, Desigo, APOGEE, and TALON products. The vulnerability was self-reported. Siemens provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit this vulnerability to allow an attacker to affect the availability and integrity of the device.

Industrial Devices Advisory

This advisory describes two vulnerabilities in the Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC and SINEMA products. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2018-5390; and

• Improper input validation - CVE-2018-5391

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  to affect the availability of the devices under certain conditions.

NOTE: This is the third-party, Linux OS, SegmentSmack vulnerability.

Climatix Advisory

This advisory describes two vulnerabilities in the Siemens Climatix product line. The vulnerability was reported by Ezequiel Fernandez from Dreamlab Technologies. Siemens has provided generic workarounds.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7574; and

• Basic XSS - CVE-2020-7575

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute arbitrary code to access confidential information without authentication.

TMW SCADA Advisory

This advisory describes three vulnerabilities in the Triangle Microworks (TMW) SCADA Data Gateway. The vulnerabilities were reported by Incite Team of Steven Seeley and Chris Anastasio, and Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi via the Zero Day Initiative. TMW has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10615;

• Out-of-bounds read - CVE-2020-10613; and

• Type confusion - CVE-2020-10611

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code and disclose on affected installations of Triangle Microworks SCADA Data Gateway with DNP3 Outstation channels. Authentication is not required to exploit these vulnerabilities.

TMW DNP3 Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Triangle Microworks DNP3 Outstation Libraries. The vulnerability was reported by Incite Team of Steven Seeley and Chris Anastasio via ZDI. TMW has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to stop the execution of code on affected equipment.

Eaton Advisory

This advisory describes two vulnerabilities in the Eaton HMiSoft VU3. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via ZDI. The HMiSoft VU3 has reached end-of-life and is no longer supported by Eaton.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10639; and

• Out-of-bounds read - CVE-2020-10637

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to crash the device being accessed and may allow remote code execution or information disclosure.

Industrial Products Update

This update provides additional information for an advisory that was originally published on September 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for ROX II.

PROFINET Update

This update provides additional information for an advisory that was originally published on October 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET200MP IM155-5 PN HF.

TIA Portal Update

This update provides additional information for an advisory that was originally published on January 14^th, 2020. The new information includes updated version information and mitigation links for TIA Portal V16.

SIMATIC PCS 7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC WinCC (TIA Portal) V16.

SIMATIC S7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes adding SIMATIC WinAC RTX to the list of affected products.

Other Siemens Updates

Siemens also updated five other advisories yesterday. I expect that NCCIC-ICS will address at least two of these, probably later this week.

ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published four control system security advisories for products from ABB and Schneider (3). They also published on medical device security advisory for products from Qualcomm Life.

The ABB vulnerability was previously discussed here two weeks ago. Two of the Schneider vulnerabilities were discussed here last weekend.

ABB Advisory

This advisory describes an improper authentication vulnerability in the ABB eSOMS electronic shift operations management system. The vulnerability is self-reported (the ABB security advisory notes that they “received information about this vulnerability through responsible disclosure” but did not name the researcher). ABB will publish a new version on September 28^th that will mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to gain access to the application without authentication.

Note: The ICS-CERT link to the ABB security advisory does not work, use the link above.

PowerLogic Advisory

This advisory describes a cross-site scripting vulnerability in the Schneider PowerLogic PM5560 power management system. The vulnerability was reported by Ezequiel Fernandez and Bertin Jose. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow user input to be manipulated, allowing for remote code execution.

                                             

Modicon 221 Advisory (1)

This advisory describes an improper check for unusual or exceptional conditions vulnerability in the Schneider Modicon 221 PLCs. The vulnerability was reported by Yehonatan Kfir of Radiflow. A new firmware version mitigates the vulnerability. There is no indication that Kfir has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to remotely reboot the device.

Modicon 221 Advisory (2)

This advisory describes three vulnerabilities in the Schneider Modicon 221 PLCs. The vulnerabilities were reported by Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans. A new firmware version mitigates the vulnerability. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Information management errors - CVE-2018-7790; and

• Permissions, privileges and access controls (2) - CVE-2018-7791 and CVE-2018-7792

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to replay authentication sequences, overwrite passwords, or decode passwords.

Qualcomm Advisory

This advisory describes a code weakness vulnerability in the Qualcomm Life Capsule Datacaptor Terminal Server (DTS). The vulnerability was reported by Elad Luz of CyberMDX. A new firmware update mitigates the vulnerability in one of the affected products and work arounds have been identified for the remaining products. There is no indication that Luz has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to execute unauthorized code to obtain administrator-level privileges on the device.

Public ICS Disclosure – Week of 08-25-18

This week we have two vendor disclosures and three exploits for previously disclosed vulnerabilities; all for products from Schneider.

PowerLogic PM5560 Advisory

Schneider published an advisory for their PowerLogic PM5560 product for a cross protocol injection vulnerability. The vulnerability was reported by Ezequiel Fernandez and Bertin Jose. Schneider has an update available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Modicon M221 Advisory

Schneider published an advisory for their Modicon M221 product for an improper check for unusual or exceptional conditions vulnerability. The vulnerability was reported by Yehonatan Kfir of Radiflow. Schneider has a firmware update available that mitigates the vulnerability. There is no indication that Kfir has been provided an opportunity to verify the efficacy of the fix.

Schneider Electric IGSS Exploit

Alejandro Parodi published exploit code for a remote code execution vulnerability in the Schneider Electric IGSS. This vulnerability was previously reported by ICS-CERT in January 2013.

Schneider Electric Serial Modbus Drive Exploits

Alejandro Parodi published exploit code (here and here) for two separate vulnerabilities in the Schneider Electric Serial Modbus Drive; a denial of service vulnerability and a remote code execution vulnerability. Both vulnerabilities were previously reported by ICS-CERT in March 2014.