Review - Public ICS Disclosures – Week of 10-23-21 – Part 2

In Part 2 we have an additional eleven vendor disclosures from GPSD, Ingeteam, Hitachi ABB Power Grids, HPE (2), QNAP, Tanzu (4), and Yokogawa. We have an updated disclosure for OMRON products. Finally we have two exploits for products from Hikvision and SonicWall,

GPSD Advisory - Incibe CERT published an advisory discussing the GPS Daemon Rollover Bug (CISA published a short advisory on the same topic).

Ingeteam Advisory - Incibe CERT published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the Ingeteam INGEPAC DA AU ring main unit.

Hitachi ABB Advisory - Hitachi ABB published an advisory describing a certificate verification vulnerability in their PCM600 Engineering Tool.

HPE Advisory #1 - HPE published an advisory describing a directory traversal vulnerability in their iLO Amplifier Pack.

HPE Advisory #2 - HPE published an advisory describing a local bypass of security restrictions vulnerability in their HPE ProLiant products.

QNAP Advisory - QNAP published an advisory describing a command injection vulnerability in their Media Streaming Add-On.

Tanzu Advisory #1 - Tanzu published an advisory discussing a shared interface vulnerability in their Spring by VMware products.

Tanzu Advisory #2 - Tanzu published an advisory describing a security bypass vulnerability in their Spring Data REST products.

Tanzu Advisory #3 - Tanzu published an advisory describing a deserialization of a maliciously constructed java.util.dictionary object in their Spring-AMQP product.

Tanzu Advisory #4 - Tanzu published an advisory describing a log injection vulnerability in their Spring Framework.

Yokogawa Advisory - Yokogawa published an advisory discussing an unsupported Microsoft XML version vulnerability in many of their products.

OMRON Update - JP CERT published an update for the OMRON CS-Supervisor advisory that was originally published on October 15^th, 2021.

Hikvision Exploit - Bashis published an exploit for a command injection vulnerability in the Hikvision web server.

Sonic Wall Exploit - The Vulnerability Lab published an exploit for a cross-site scripting vulnerability in the Sonicwall SonicOS.

For more details on the advisories, updates and exploits, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-a7c - subscription required.

Review - 2 Advisories Published – 9-7-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi ABB Power Grids and Mitsubishi Electric.

Hitachi ABB Advisory - This advisory describes a cleartext storage of sensitive information vulnerability in the Hitachi ABB System Data Manager product.

Mitsubishi Advisory - This advisory describes three vulnerabilities in the Mitsubishi MELSEC iQ-R Series CPU Module.

NOTE: I have previously discussed both sets of vulnerabilities.

 

For more details on the advisories, including a link to a researcher report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-9-7-21 - subscription required.

Review - Public ICS Disclosures – Week of 8-28-21

This week we have sixteen vendor disclosures from ABB, Aruba Networks, Baxter, WAGO (3), Hitachi ABB Power Grids, Hewlett Packard Enterprise, Mitsubishi (2), Moxa (2), OPC Foundation, Philips, and QNAP (2). We also have three vendor updates from CODESYS. There are also 20 researcher reports for products from Fuji Electric. Finally, we have an exploit for products from Geutebruck.

ABB Advisory - ABB published an advisory describing a remote code execution vulnerability in their Base Software for SoftControl product.

Aruba Advisory - Aruba published an advisory describing 15 vulnerabilities in their ArubaOS product.

Baxter Advisory - Baxter published an advisory discussing the PrintNightmare vulnerability.

WAGO Advisory #1 - CERT VDE published an advisory describing an improper authentication and access control vulnerability in the WAGO 750-36X and WAGO 750-8XX products.

WAGO Advisory #2 - CERT VDE published an advisory discussing two out-of-bounds read vulnerabilities in the e!COCKPIT and WAGO-I/O-Pro products.

WAGO Advisory #3 - CERT VDE published an advisory describing a missing release of resources after effective lifetime vulnerability in WAGO PLCs.

Hitachi ABB Advisory - Hitachi ABB published an advisory describing a clear-text storage of sensitive information vulnerability in their System Data Manager – SDM600 products.

HPE Advisory - HPE published an advisory discussing two vulnerabilities in the SGI UV 300/3000 and HPE Integrity MC990 X Servers.

Mitsubishi Advisory #1 - Mitsubishi published an advisory discussing the FragAttacks WiFi vulnerabilities.

Mitsubishi Advisory #2 - Mitsubishi published an advisory discussing the BadAlloc vulnerabilities (Amazon FreeRTOS is the specific product involved here).

Moxa Advisory #1 - Moxa published an advisory describing 59 vulnerabilities in their TAP-323, WAC-1001, and WAC-2004 Series Wireless AP/Bridge/Client.

Moxa Advisory #2 - Moxa published an advisory describing 59 vulnerabilities in their OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router.

OPC Foundation - OPC Foundation published an advisory describing an access of memory location after end-of-buffer vulnerability in their Local Discovery Server.

Philips Advisory - Philips published an advisory discussing the HiveNightmare vulnerability.

QNAP Advisory #1 - QNAP published an advisory describing two vulnerabilities in their QNAP NAS running HBS 3.

QNAP Advisory #2 - QNAP published an advisory describing an out-of-bounds read vulnerability in their QNAP NAS running QTS, QuTS hero, and QuTScloud.

CODESYS Update #1 - CODESYS published an update for their V3 web server advisory that was originally published on May 19^th, 2021 and most recently updated on July 22^nd, 2021.

CODESYS Update #2 - CODESYS published an update for their V3 web server that was that was originally published on July 15^th, 2021.

CODESYS Update #3 - CODESYS published an update for their Gateway V3 advisory that was originally published on July 15^th, 2021.

Fuji Electric Reports - The Zero Day Initiative published 20 reports describing 0-day vulnerabilities in the Fuji Tellus Lite V-Simulator.

Geutebruck Exploit - Titouan Lazard, Sebastien Charbonnier, and Ibrahim Ayadhi published a Metasploit module for eight previously reported vulnerabilities in the Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices.

 

For more details on the advisories and reports, including links to third-party reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8 - subscription required.

Review - 3 Advisories and 1 Update Published – 8-24-21

Today CISA’s NCCIC-ICS published three control system security advisories for products from Delta Electronics and Hitachi ABB (2). They also updated an advisory for products from Advantech.

Delta Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Delta TPEditor.

Hitachi ABB Advisory #1 - This advisory describes an insufficiently protected credential vulnerability in the Hitachi ABB Retail Operations and Counterparty Settlement Billing products.

Hitachi ABB Advisory #2 - This advisory discusses the FragAttacks WiFi vulnerabilities in the Hitachi ABB TropOS Product.

Advantech Update - This update provides additional information on an advisory that was originally reported on June 17^th, 2021.

 

For more details on the advisories, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-e37 - subscription required.

Review - Public ICS Disclosures – Week of 7-31-21

This week we have three INFRA:HALT advisories from: Phoenix Contact, Schneider Electric, Siemens. We have 17 other advisories for products from Aruba, Bosch, Carestream, Genetec, Hitachi ABB Power Grids (3), Johnson Controls, Mitsubishi Electric (4), Phoenix Contact (3), PulseSecure, VMware. Finally, there are two updates from CODESYS and PcVue.

INFRA:HALT Advisories

Phoenix Contact published an advisory discussing the INFRA:HALT vulnerabilities.

Schneider published an advisory discussing the INFRA:HALT vulnerabilities.

Siemens published an advisory discussing the INFRA:HALT vulnerabilities.

Other Advisories

Aruba published an advisory describing a privilege escalation vulnerability in their Analytics and Location Engine (ALE).

Bosch published an advisory describing a cross-site request forgery vulnerability in their IP Cameras.

Carestream published an advisory discussing the PrintNightmare vulnerabilities.

Genetec published an advisory describing four vulnerabilities in their Streamvault products.

Hitachi ABB published an advisory discussing the FragAttacks WiFi vulnerabilities in their TropOS Product.

Hitachi ABB published an advisory describing a password in memory vulnerability in their Counterparty Settlement Billing (CSB) Product.

Hitachi ABB published an advisory describing a password in memory vulnerability in their Retail Operations Product.

Johnson Controls published an advisory describing an auto-update vulnerability in their Software House C•CURE 9000 product

Mitsubishi published an advisory describing an information disclosure vulnerability in their MELSEC iQ-R Series CPU module.

Mitsubishi published an advisory describing an unauthorized log-in vulnerability in their MELSEC iQ-R series CPU modules.

Mitsubishi published an advisory describing a denial-of-service vulnerability in their MELSEC iQ-R Series CPU module.

Mitsubishi published an advisory describing an authentication bypass vulnerability in their MELSEC iQ-R Series CPU Module.

Phoenix Controls published an advisory discussing the WIBU CodeMeter vulnerabilities reported by NCCIC-ICS.

Phoenix Controls published an advisory describing a denial of service vulnerability in their PLCnext Control devices.

Phoenix Controls published an advisory describing an improper privilege management vulnerability in their  FL MGUARD DM product.

PulseSecure published an advisory describing six vulnerabilities in their Pulse Connect Secure.

VMware published an advisory describing two vulnerabilities in their VMware Workspace ONE Access product.

Updates

CODESYS published an update for their CODESYS Development System V3 advisory that was originally published on July 15^th, 2021.

PcVue published an update for their advisory that was originally published in November 2020.

For more details on these advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-e33 - subscription required.

3 Advisories and 1 Update Published – 3-18-21

Today the CISA NCCIC-ICS published three control system security advisories for products from Hitachi ABB Power Grids (2) and Johnson Controls. They also published an update for an advisory for products from Rockwell Automation.

eSOMS Telerik Advisory

This advisory describes seven vulnerabilities in the Hitachi ABB eSOMS using Telerik (3^rd party) software. The vulnerabilities are self-reported. Hitachi ABB has a new version that mitigates the vulnerabilities.

The seven reported vulnerabilities are:

• Path traversal - CVE-2019-19790,

• Deserialization of untrusted data - CVE-2019-18935 (2 publicly available exploits, here and here),

• Improper input validation - CVE-2017-11357 (1 publicly available exploit)

• Inadequate encryption strength - CVE-2017-11317,

• Insufficiently protected credentials - CVE-2017-9248 (1 publicly available exploit),

• Path traversal - CVE-2014-2217, and

• Path traversal - CVE-2014-4958

NOTE 1: Links are to the original Telerik advisory or blog post.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.

NOTE 2: Telerik apparently publicly acknowledged these vulnerabilities years ago (almost 7 years in one case). Why is it taking Hitachi ABB so long to address them? I guess the question is, did Telerik directly notify them of the vulnerability or just rely on the publication? I suspect that it was the latter.

eSOMS Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in their eSOMS product. The vulnerability is self-reported. Hitachi ABB has new versions that mitigate the vulnerability.

NOTE: The Hitachi ABB advisory says they were notified of the vulnerability “through responsible disclosure”.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain access to unauthorized information.

Johnson Controls Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Exacq Technologies (Johnson Controls) exacqVision Web Service. The vulnerability was reported by Milan Kyselica. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kyselica has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.

Rockwell Update

This update provides additional data on an advisory that was originally reported on February 25, 2021. The new information includes:

• Adding FactoryTalk Security to the list of affected products,

• Rewriting the mitigation section (to include noting that this is not a patchable vulnerability).

NOTE: I briefly discussed the updated Rockwell advisory back on March 6^th, 2021.

3 Advisories and 1 Update Published – 3-16-21

Yesterday the CISA NCCIC-ICS published three controls system security advisories and updated one medical device security advisory.

Hitachi ABB Power Grids Advisory

This advisory describes an infinite loop vulnerability in the Hitachi ABB Power Grids AFS Series. This is a third-party (Belden) vulnerability that I briefly described in February. The vulnerability is self-reported. Hitachi ABB Power Grids has updates available that mitigate the vulnerability.

The NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a denial-of-service condition on one of the ports in a HSR ring.

GE Grid Advisory

This advisory describes ten vulnerabilities in the GE Grid UR family of advanced protection and control relays. The vulnerabilities were reported by SCADA-X, DOE CyTRICS program, Verve Industrial, and VuMetric. GE Grid has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Inadequate encryption strength (2) - CVE-2016-2183 (TLS/SSL/IPsec vulnerability) and CVE-2013-2566 (TLS/SSL vulnerability),

• Session fixation - CVE-1999-1085 (SSH vulnerability),

• Exposure of sensitive information to an unauthorized actor (2) - CVE-2021-27422 and CVE-2021-27424,

• Improper input validation - CVE-2021-27418 and CVE-2021-27420,

• Unrestricted upload of file with dangerous type - CVE-2021-27428,

• Insecure default variable initialization - CVE-2021-27426, and

• Use of hard-coded credentials - CVE-2021-27430

NOTE 1: There are a large number of third-party vendor advisories for the first two CVEs over the years, but no published exploits.

NOTE 2: Those first three OLD vulnerabilities certainly help make a case for the use of a software bill of materials.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.

Advantech Advisory

This advisory describes a cross-site scripting vulnerability in the Advantech WebAccess/SCADA. The vulnerability was reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs. Advantech has a new version that mitigates the vulnerability. There is no indication that Toyama has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an unauthorized user to steal a user’s cookie/session token or redirect an authorized user to a malicious webpage.

BD Update

This update provides additional information on an advisory that was was originally published on February 7^th, 2017 and most recently updated on October 19^th, 2017. The new information includes:

• Rewriting Risk Evaluation section,

• Adding Alaris 8015 PC unit, Versions 9.33, to the list of affected products,

• Rewriting description of CVE-2016-8375 vulnerability,

• Rewriting description of CVE-2016-9355 vulnerability, and

• Rewriting compensating controls descriptions

3 Advisories Published – 3-2-21

The CISA NCCIC-ICS published three control system security advisories for products from MB connect line, Rockwell Automation and Hitachi ABB Power Grids.

MB Connect Advisory

This advisory describes 18 vulnerabilities in the MB connect line mymbCONNECT24 and mbCONNECT24 remote access products. The vulnerabilities were reported by OTORIO. MB connect has a new version that mitigates most of the vulnerabilities, the remaining vulnerabilities will be fixed in a future release. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The 18 reported vulnerabilities are:

• Improper privilege management (4) - CVE-2020-12527, CVE-2020-12528, CVE-2020-35557, and CVE-2020-10384,

• Server-side request forgery (3) - CVE-2020-12529, CVE-2020-35558, and CVE-2020-35561,

• Cross-site scripting (4) - CVE-2020-12530, CVE-2020-35563, CVE-2020-35564, and CVE-2020-35569,

• Uncontrolled resource consumption - CVE-2020-35559,

• Open redirect - CVE-2020-35560,

• Insecure default initialization of resource - CVE-2020-35565,

• PHP remote file inclusion - CVE-2020-35566,

• Use of hard-coded credentials - CVE-2020-35567,

• Exposure of sensitive information to an unauthorized actor - CVE-2020-35568, and

• Files or directories accessible to external parties - CVE-2020-35570

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain unauthorized access to arbitrary information or allow remote code execution. The OTORIO report lists that same general potential effects with much more vivid language.

NOTE: The OTORIO report refers to ‘more than 20 critical security flaws’, but does not provide a list of the vulnerabilities.

Rockwell Advisory

This advisory describes an improper input validation vulnerability in the Rockwell  CompactLogix and ControlLogix controllers. The vulnerability was reported by Yeop Chang. Rockwell has newer firmware that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to send specially crafted CIP packet requests to a controller, which may cause denial-of-service conditions in communications with other products.

Hitachi ABB Advisory

This advisory describes two vulnerabilities in the Hitachi ABB Ellipse Enterprise Asset Management products. The vulnerabilities are self-reported. Hitachi ABB has a new version that mitigates the vulnerabilities.

NOTE: The Hitachi ABB advisory reports that the vulnerability was reported to them by a private individual via a responsible disclosure. There is no indication that the individual was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2021-27416, and

• User interface misrepresentation of critical information - CVE-2021-27414

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to steal sensitive information, hijack a user’s session, or compromise authentication credentials.

2 Advisories and 2 Updates Published – 10-20-20

Today the CISA NCCIC-ICS published two control system security advisories for product from Hitachi ABB Power Grids, and Rockwell Automation, and updated an advisory for products from WECON. They also updated a medical device security advisory for products from Capsule Technologies.

Hitachi ABB Advisory

This advisory describes an improper authentication vulnerability in the Hitachi ABB XMC20 Multiservice-Multiplexer. The vulnerability is self-reported. Hitachi ABB has new firmware versions that mitigate the vulnerability.

NOTE: The Hitachi ABB advisory describes this as a third-party vulnerability in Libssh. They also report that exploit code is publicly available for the vulnerability. This vulnerability was reported by Peter Winter-Smith of NCC Group. An article on ZDNet.com notes that this is not the most commonly used ssh library, but we must assume that other vendor products may be affected by this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to remotely take control of the product.

Rockwell Advisory

This advisory describes three classic buffer overflow vulnerabilities in the Rockwell 1794-AENT Flex I/O Series B ethernet/IP adapters. The vulnerabilities were reported (here, here and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds for these vulnerabilities.

NOTE: The Cisco Talos reports contain proof-of-concept exploit code for the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device being accessed, resulting in a buffer overflow condition that may allow remote code execution.

NOTE: I briefly reported on these vulnerabilities last Saturday.

WECON Update

This update provides additional information on an advisory that was originally published on August 25, 2020. The new information includes:

• Adding ‘improper restriction of xml external entity reference’ as a new vulnerability,

• Adding ‘and obtain sensitive information’ to the risk evaluation, and

• Adding ‘Mehmet D. INCE @mdisec from T0.Group’ as a reporting researcher.

Capsule Technologies Update

This update provides additional information on an advisory that was originally published on July 14^th, 2020. The new information includes updated affected version information and links to mitigation measures.