Review – 5 Advisories and 3 Updates Published – 11-22-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Moxa, GE, Phoenix Contact, Digital Alert Systems, and AVEVA. They updated two control system advisories for products from Moxa and one medical device security advisory for products from Hillrom.

Security Advisories

Moxa Advisory - This advisory describes an execution with unnecessary privilege vulnerability in the Moxa ARM-Based Computers.

GE Advisory - This advisory describes five vulnerabilities in the GE CIMPLICITY HMI/SCADA software.

Phoenix Contact Advisory - This advisory describes two vulnerabilities in the Phoenix Contact Automation Worx Software Suite.

NOTE: I briefly discussed these vulnerabilities on November 13^th, 2022.

Digital Alert Advisory - This advisory describes two cross-site scripting vulnerabilities (one with known exploit) in the Digital Alert Systems DASDEC emergency messaging devices.

AVEVA Advisory - This advisory describes four vulnerabilities in the AVEVA Edge (InduSoft Web Studio).

Security Updates

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on August 2^nd, 2022.

I briefly discussed the Mitsubishi update last weekend.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on February 18^th, 2021 and most recently updated on August 2^nd, 2022.

I briefly discussed the Mitsubishi update last weekend.

Hillrom Update - This update provides additional information on an advisory that was originally published on June 1^st, 2021 and most recently updated on September 8^th, 2022.

Review – 2 Advisories and 2 Updates Published – 9-8-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from MZ Automation and a medical device security advisory for products from Baxter. They also updated advisories for products from PTC and Hillrom.

MZ Advisory - This advisory describes four vulnerabilities in the MZ Automation libIEC61850, a library for IEC 61850 implementation.

NOTE: Since this is a library product, the vulnerabilities are only exploitable in a product in which the library is used. So, we can expect to see this show up as third-party vulnerabilities in products from other vendors.

Baxter Advisory - This advisory discusses four vulnerabilities (with proof-of-concept code available) in the Sigma and Baxter Spectrum Infusion Pumps. The Baxter advisory notes that the vulnerabilities only affect the Spectrum Wireless Battery Module (WBM) that may be used by the infusion pumps.

PTC Update - This update provides new information on an advisory that was originally published on August 30^th, 2022.

Hillrom Update - This update provides new information on an advisory that was originally published on June 1^st, 2021 and most recently updated on December 14^th, 2021.

NOTE: The Hillrom advisory is nearly a duplicate of the CISA advisory (including the questionable use of the CISA seal), but it specifically mentions the December 14^th, 2021 update where the CISA advisory does not directly. I also like their use of the ‘Unclassified’ document marking.

 

For more details about these advisories and updates, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-2-updates-published - subscription required.

Review – 18 Advisories Published – 6-16-22

Today, CISA’s NCCIC-ICS published 17 control system security advisories for products from Siemens (14) and AutomationDirect (3). They also published a medical device security advisory for products from Hillrom. They also published 17 updates, but I will cover those in a separate post.

SINEMA Advisory #1 - This advisory describes 30 vulnerabilities (six with known exploits) in the Siemens SINEMA Remote Connect Server.

SINEMA Advisory #2 - This advisory describes two improperly implemented security check for standard in the Siemens SINEMA Remote Connect Server.

SCALANCE Advisory #1 - This advisory discusses the PwnKit vulnerability in the Siemens SCALANCE LPE 4903 and SINUMERIK Edge.

SCALANCE Advisory #2 - This advisory describes an improper validation of integrity check value in the Siemens SCALANCE XM-400 and XR-500 industrial switches.

SCALANCE Advisor #3 - This advisory discussing ten vulnerabilities (including three with known exploits) in the Siemens SCALANCE LPE9403.

Teamcenter Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Siemens Teamcenter Active Workspace.

Teamcenter Advisory #2 - This advisory describes a use of hard-coded credentials vulnerability in the Siemens Teamcenter.

Industrial Products Advisory - This advisory discusses an infinite loop vulnerability in a large number of Siemens industrial products.

NOTE: It does not look like this advisory will be listing the ‘fixed’ products, we will have to watch the Siemens advisory for that. This may be a way for NCCIC-ICS to avoid having to do numerous updates to this advisory.

Spectrum Power Advisory - This advisory describes a use of hard-coded credentials vulnerability in the Siemens Spectrum Power SCADA, data modeling and monitoring system.

Xpedition Designer - This advisory describes an incorrect permission assignment vulnerability in the Siemens Xpedition Designer design flow products.

SICAM Advisory - This advisory describes three vulnerabilities in the Siemens SICAM GridEdge Essential ARM.

Apache Server Advisory - This advisory discusses three vulnerabilities in the Siemens Apache HTTP Server.

EN100 Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer in the Siemens EN100 Ethernet Module.

Mendix Advisory - This advisory describes two vulnerabilities in the Siemens Mendix SAML Modules.

AutomationDirect Advisory #1 - This advisory describes two vulnerabilities in the AutomationDirect DirectLOGIC with Ethernet Communication Modules.

AutomationDirect Advisory #2 - This advisory describes a cleartext transmission of sensitive information vulnerability AutomationDirect DirectLOGIC with Serial Communication.

AutomationDirect Advisory #3 - This advisory describes two vulnerabilities in the AutomationDirect C-more EA9 industrial touch screen HMI.

Hillrom Advisory - This advisory describes two vulnerabilities in the Hillrom Welch Allyn ELI medical devices.

 

For more details on these advisories, including links to researcher reports, third-party advisories, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/18-advisories-published-6-16-22 - subscription required.

Review - Public ICS Disclosures – Week of 1-29-22 – Part 2

For Part 2 we have four more vendor disclosures from QNAP, TI, VMware, and Fujitsu. We also have five updates from Boston Scientific, Dell, Hillrom, Johnson Controls, and QNAP. There are also 98 researcher reports for vulnerabilities in products from Gerbv (2), and Bentley (96). Finally, we have three exploit reports for products from Moxa (2), and WAGO.

QNAP Advisory - QNAP published an advisory discussing the Deadbolt Ransomware attacks.

TI Advisory - TI published an advisory discussing physical security attacks on ‘silicon devices.’

VMware Advisory - VMware published an advisory describing an information disclosure vulnerability in their VMware Cloud Foundation.

Fujitsu Advisory - Fujitsu published an advisory discussing 15 vulnerabilities in Insyde® Firmware.

Boston Scientific Update - Boston Scientific published an update for their Log4Shell  advisory.

Dell Update - Dell published an update for their generic Log4Shell advisory.

Hillrom Update - Hillrom published an update for their Log4Shell advisory.

Johnson Controls Update - Johnson Controls published an update for their Log4Shell advisory.

QNAP Update - QNAP published an update for their QTS and QuTS hero advisory that was originally published on January 13^th, 2021 and most recently updated on January 25^th, 2022.

Gerbv Reports - Talos published two reports of vulnerabilities in the Gerbv RS-274X viewer.

Bentley Reports - The Zero Day Initiative published 96 reports (ZDI-22-149 thru ZDI-22-243ZDI) about vulnerabilities in the Bentley MicroStation and MicroStation-based applications.

Moxa Exploit #1 - Matthew Bergin published an exploit for a firmware upgrade vulnerability in the Moxa TN-5900.  

Moxa Exploit #2 - Matthew Bergin published an exploit for a command injection vulnerability vulnerability in the Moxa TN-5900.  

WAGO Exploit - Gerhard Hechenberger published an exploit for an improper handling of exceptional conditions vulnerability in the WAGO 750-8xxx PLC.

NOTE: This was reported as a third-party (CODESYS) vulnerability, so this exploit may work (with or without modification?) on other vendor products.

 

For more details on these disclosures, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-d73 - subscription required.

Review - 2 Advisories and 1 Update Published – 12-14-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Schneider Electric and Advantech. They also updated a medical device security advisory for products from Hillrom.

Schneider Advisory - This advisory describes a cross-site scripting vulnerability in the Schneider Rack Power Distribution Unit (PDU).

Advantech Advisory - This advisory describes 26 vulnerabilities in the Advantech R-SeeNet.

NOTE: I briefly reported on these vulnerabilities on November 27^th, 2021.

Hillrom Update - This update provides additional information on an advisory that was originally published on June 1^st, 2021.

For additional details on these advisories, including links to the researcher reports wit POC code, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-ade - subscription required.

Review - 3 Advisories Published – 12-9-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from WECON and Hitachi Energy and a medical device security advisory for products from Hillrom.

WECON Advisory - This advisory describes a stack-based buffer overflow in the WECON LeviStudioU HMI.

Hitachi Energy Advisory - This advisory describes an improper access control in the Hitachi Energy GMS600, PWC600, and Relion 670/650/SAM600-IO products.

NOTE: Hitachi Energy published separate advisories for each of the affected product lines. I briefly reported on those advisories back on November 6^th, 2021.

Hillrom Advisory - This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Hillrom Welch Allyn Cardio Products.

For more details about those advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-12-9-21 - subscription required.

2 Advisories Published – 6-1-21

Today CISA’s NCCIC-ICS published a control system security advisory for products from Siemens and a medical device security advisory for products from Hillrom.

Siemens Advisory

This advisory describes an improper restriction of operations within the bounds of a memory buffer. . The vulnerability was reported by Tal Keren from Claroty. Siemens has new versions that mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.

NOTE: I briefly discussed this vulnerability last Saturday on CFSN Detailed Analysis (subscription required).

Hillrom Advisory

This advisory describes two vulnerabilities in Hillrom’s Welch Allyn medical device management tools. The vulnerabilities were reported by Uriel Malin, Jamison Utter, and Itay Kirshenbaum of Medigate. Hillrom has updates the mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Out-of-bounds write - CVE-2021-27410, and

• Out-of-bounds read - CVE-2021-27408

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker to cause memory corruption and remotely execute arbitrary code.

1 Advisory and 2 Updates Published

Today the CISA NCCIC-ICS published a control system advisory for products from Omron. They also updated two previously published security advisories for products from Omron and Interpeak (medical device advisory).

Omron Advisory

This advisory describes a use of obsolete function vulnerability in the Omron CX-Supervisor. The vulnerability was reported by Michael DePlante of the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in information disclosure, total compromise of the system, and system unavailability.

Omron Update

This update provides additional information on an advisory that was originally published on May 14^th, 2019. The new information includes the announcement of a new version that mitigates the vulnerability.

Interpeak IPnet (medical device) Update

This update provides additional information on an advisory that was originally published on October 1^st, 2019 and last updated on October 10^th. The new information is the addition of Hillrom to the list of vendors that have also released security advisories related to their affected products. Unfortunately, the link provided takes one to a generic responsible disclosure page with no mention of security advisories.