Public ICS Disclosures – Week of 5-8-21, Part 1

This is a busier week than normal, even for a ‘Second Tuesday’ week. We have three vendor notifications for the FragAttacks WiFi vulnerabilities from Aruba, Ruckus, and Texas Instruments. We have two vendor notifications for the two OPC UA vulnerabilities reported this week by NCCIC-ICS from Beckhoff, Belden. We also have twelve other vendor notifications from Braun, SITEL (4), PEPPERL+FUCHS, CODESYS (3), Dell, and PulseSecure (2).

There will be a similarly lengthy list in Part 2 tomorrow.

FragAttacks Advisories

Aruba published an advisory discussing the FragAttacks vulnerabilities. Aruba provides a list of affected products and has new versions that mitigate the vulnerabilities.

Ruckus published an advisory discussing the FragAttacks vulnerabilities. Ruckus provides a list of affected products and has updates that mitigate the vulnerabilities.

TI published an advisory discussing the FragAttacks vulnerabilities. TI provides a list of affected products and has new versions that mitigate the vulnerabilities.

OPC UA Advisories

Beckhoff published an advisory discussing the OPC UA advisories. Beckhoff provides a list of affected products and has new versions that mitigate the vulnerabilities.

Belden published an advisory discussing the OPC UA advisories. Belden provides a list of affected products and has new versions that mitigate the vulnerabilities.

Braun Advisory

Braun published an advisory describing four vulnerabilities in a number of their products. The vulnerabilities were reported by McAfee Advanced Threat Research. Braun has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Insufficient verification of data authenticity,

• Missing authentication for critical function,

• Clear-text transmission of sensitive information, and

• Unrestricted upload of file with dangerous type.

SITEL Advisories

Incibe-Cert published an advisory describing a hard-coded credentials vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing a clear-text transmission of sensitive information vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an uncontrolled resource consumption vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

PEPPERL+FUCHS Advisory

CERT-VDE published an advisory describing four vulnerabilities in the PEPPERL+FUCHS ICE1 Ethernet IO Modules. These are third-party (Hilscher) vulnerabilities. PEPPERL+FUCHS has provided generic mitigation measures.

The four reported vulnerabilities are:

• Out-of-bounds write (2) - CVE-2021-20987 and CVE-2021-20986,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-20988, and

• Exposure of sensitive information to an unauthorized actor - CVE-2019-18222 (Mbed TLS)

CODESYS Advisories

CODESYS published an advisory describing three vulnerabilities in their CODESYS V2 runtime systems. The vulnerabilities were reported by Yossi Reuven of SCADAfence and Sergey Fedonin and Denis Goryushev of Positive Technologies. CODESYS has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow - CVE-2021-30188, and

• Improper input validation - CVE-2021-30195

CODESYS published an advisory describing six vulnerabilities in their V2 web server. The vulnerabilities were reported by Vyacheslav Moskvin, Sergey Fedonin and Anton Dorfman of Positive

Technologies. CODESYS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2021-30189,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193, and

• Out-of-bounds read - CVE-2021-30194

CODESYS published an advisory describing an improper neutralization of special elements used in an OS command vulnerability in their CODESYS V2 Runtime Toolkit 32. This is a Linux implementation vulnerability. The vulnerability was reported by van Kurnakov and Sergey Fedonin of Positive Technologies. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Dell Advisory

Dell published an advisory describing an improper authorization vulnerability in their Dell Wyse Windows Embedded System. The vulnerability was reported by Alessandro Baldini and Alessio D'Anastasio. Dell has updates that mitigate the vulnerability.

PulseSecure Advisories

PulseSecure published an advisory describing an HTTP request smuggling vulnerability in their Virtual Traffic Manager (vTM). The vulnerability was reported by James Kettle from PortSwigger Web Security.  PulseSecure has new versions that mitigate the vulnerability. There is no indication that Kettle has been provided an opportunity to verify the efficacy of the fix.

PulseSecure published an advisory describing a buffer overflow vulnerability in their Pulse Connect Secure. PulseSecure provides a work around pending development of a new version that will mitigate the vulnerability.

Public ICS Disclosures – Week of 3-27-21

This week we have four vendor disclosures from Bosch (2), Dell, and VMware. There is an update from CODESYS. We also have three researcher reports for products from Rockwell Automation and Softing (2). Finally, we have an exploit for ScadaBR.

Bosch Advisories

Bosch published an advisory describing a stack-based buffer overflow in their Rexroth ActiveMover product using Ethernet IP. This is a third-party (Hilscher) vulnerability. Bosch has a newer version that mitigates the vulnerabilty.

 

Bosch published an advisory describing a stack-based buffer overflow in their Rexroth ActiveMover using Profinet. This is a third-party (Hilscher) vulnerability. Bosch provides generic workarounds to mitigate the vulnerability.

Dell Advisory

Dell published an advisory describing a configuration vulnerability in their Wyse ThinOS. The vulnerability was reported by Emanuel Rodrigues. Dell has new versions that mitigate the vulnerability. There is no indication that Rodrigues has been provided an opportunity to verify the efficacy of the fix.

VMware Advisory

VMware has published an advisory describing two vulnerabilities in their vRealize Operations product. The vulnerabilities were reported by Egor Dimitrenko of Positive Technologies. VMware has updates that mitigate the vulnerabilities. There is no indication that Dimitrenko has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Server-side request forgery - CVE-2021-21975, and

• Arbitrary file write - CVE-2021-21983

NOTE: Tenable has published a report on these vulnerabilities.

CODESYS Update

CODESYS published an update [.PDF download link] for their Control V3 password handling advisory that was originally published on August 1^st, 2019 and most recently updated on May 14^th, 2020. The new information includes:

• Enabling online user management by default,

• Adding additional JIRA reference CDS-73742, and

• Extending available software updates by V3.5.17.0 update

NOTE: The NCCIC-ICS advisory (ICSA-19-213-04) has not yet been updated.

Rockwell Report

Claroty published a report on the Rockwell FactoryTalk AssetCentre vulnerabilities that were announced earlier this week.

Softing Reports

Gruppo Tim published two reports for vulnerabilities in the Softing AG OPC Toolbox. The reports contain proof of concept code. There is no indication that Softing has been contacted.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2021-29661, and

• Cross-site request forgery - CVE-2021-29660

ScadaBR Exploit

Fellipe Oiveira published an exploit for an arbitrary file upload vulnerability in the ScadaBR. There are no CVEs or indications that the vendor has been contacted. This may be a 0-day exploit.

Public ICS Disclosure – Week of 2-13-21

This week we have nine vendor disclosures from Aruba Networks, PEPPERL+FUCHS (3), Dell, Moxa, Philips, QNAP, and Rockwell. There is an update from Mitsubishi. We have three researcher reports for vulnerabilities in products from Advantech (2) and Sytech. Finally, we have an exploit for a product from DDC.

Aruba Advisory

Aruba published an advisory describing eleven vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Daniel Jensen, Luke Young, Fernando Romero de la Morena, and the Microsoft Security Team. Aruba has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Cross-site scripting - CVE-2021-26678,

• Command injection (5) - CVE-2021-26681, CVE-2021-26679, CVE-2021-26680, CVE-2021-26683, and CVE-2021-26684,

• Local escalation of privilege - CVE-2021-26677,

• SQL injection (2) - CVE-2021-26685 and CVE-2021-26686,

• Reflected cross-site scripting - CVE-2021-26682, and

• Buffer Overflow - CVE-2020-7120

PEPPERL+FUCHS Advisories

CERT-VDE published an advisory describing an out-of-bounds write vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (RTA) EtherNet/IP Stack vulnerability. Generic mitigation measures were described.

 

CERT-VDE published an advisory describing a stack-based buffer overflow vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (Hilscher) PROFINET IO Device vulnerability. Generic mitigation measures were described.

 

CERT-VDE published an advisory describing a stack-based buffer overflow vulnerability in multiple PEPPERL+FUCHS products. This is a third-party (Hilscher) EtherNet/IP stack vulnerability.

Dell Advisory

Dell published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerabilty in their EMC PowerProtect Cyber Recovery product. The vulnerability is self-reported. Dell has a new version that mitigates the vulnerability.

Moxa Advisory

Moxa published an advisory describing a heap-based buffer overflow vulnerability in multiple products. This is a third-party (SUDO) vulnerability. Exploits are publicly available. Moxa has upgrades available to mitigate the vulnerability.

Philips Advisory

Philips published an advisory describing three TCP/IP vulnerabilities in their products running on Microsoft Windows. The three CVE numbers (CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086) provided in the advisory are listed as ‘Reserved’ by cve.mitre.org so it is not clear what MS vulnerabilities are specifically being reported, but Philips is reportedly reviewing MS patches.

QNAP Advisory

QNAP published an advisory describing a stack-based overflow vulnerability in their QNAP NAS running Surveillance Station. The vulnerability was reported by an unnamed ‘independent security researcher’. QNAP has new versions that mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Rockwell Advisory

Rockwell published an advisory describing an uncontrolled search path element vulnerability in their DriveTools™ and Drives AOP products. The vulnerability was reported by Cim Stordal of Cognite and Claroty. Rockwell has new versions that mitigate the vulnerability. There are no indications that the researchers have been provided an opportunity to verify the efficacy of the fix.

Mitsubishi Update

Mitsubishi published an update for their TCP protocol stack advisory that was originally published (by NCCIC-ICS) on September 1^st, 2020. The new information includes updating affected version and/or adding mitigation measures for:

• MSZ-BT20/25/35/50VGK-E1,

• MSZ-BT20/25/35/50VGK-ET1,

• MSZ-AP25/35/42/50/60/71VGK-E2,

• MSZ-AP25/35/42/50VGK-E7,

• MSZ-AP25/35/42/50VGK-EN2,

• MSZ-AP60/71VGK-ET2,

• MSZ-EF18/22/25/35/42/50VGKW(S)(B)-E1,

• MSZ-EF22/25/35/42/50VGKW(S)(B)-ER1,

• MSZ-EF25VGKB-ET1,

• MSZ-FT25/35/50VGK-E1,

• MSZ-FT25/35/50VGK-ET1,

• MSZ-FT25/35/50VGK-SC1,

• MSZ-EF22/25/35/42/50VGKW(S)(B)-A1, and

• BAC-HD150

NOTE: I expect that NCCIC-ICS will update their advisory in the coming week.

Advantech Reports

Talos published a report describing five incorrect default permission vulnerabilities (CVE-2020-13551, CVE-2020-13552, CVE-2020-13553, CVE-2020-13554, and CVE-2020-13555) in the Advantech WebAccess/SCADA installation. The report includes proof of concept code. The vulnerabilities were disclosed to Advantech in October 2020.

 

Talos published a report describing a path traversal vulnerability in the Advantech WebAccess/SCADA installation. The report includes proof of concept code. The vulnerabilities were disclosed to Advantech in October 2020.

Sytech Report

Talos published a report describing an incorrect default permissions vulnerability in the Sytech XL Reporter. The report includes proof of concept code. The vulnerabilities were disclosed to Sytech in October 2020.

DDC Exploit

Kağan Çapar published an exploit for a buffer overflow vulnerability in the DDC dataSIMS Avionics Bus Analysis & Simulation Software Tool. There is no CVE listed and no indication of notification to DDC. This may be a 0-day exploit.