Review - Public ICS Disclosures – Week of 1-29-22 – Part 1

 This has been a very busy week for control system vulnerabilities and it is going to require a two-part post to address all of the information. This week we have 14 vendor disclosures from ABB (3), Aruba (3), Sante, Sealevel, WAGO, Emerson, FANUC, Honeywell (2), Philips, and Rockwell.

ABB Advisory #1 - ABB published an advisory describing three vulnerabilities in their SPIET800 INFI-Net to Ethernet Transfer and PNI800 S+ Ethernet communication interface modules.

ABB Advisory # 2 - ABB published an advisory describing an improper input validation vulnerability in their System 800xA, Symphony® Plus IEC 61850 communication stack.

ABB Advisory #3 - ABB published an advisory describing a remote code execution vulnerability in their OPC Server for AC 800M products.

Aruba Advisory #1 - Aruba published an advisory discussing 15 vulnerabilities in their ArubaOS-CX 8000 Series Switches.

Aruba Advisory #2 - Aruba published an advisory discussing 15 vulnerabilities in their 9000 Series Gateways.

Aruba Advisory #3 - Aruba published an advisory discussing the PwnKit vulnerability in multiple product lines.

Sante Advisory - INCIBE-CERT published an advisory describing seven vulnerabilities in the Sante DICOM Viewer Pro.

Sealevel Advisory - INCIBE-CERT published an advisory describing twelve vulnerabilities in the Sealevel SeaConnect 370W Wi-Fi edge device.

WAGO Advisory - CERT-VDE published an advisory discussing a link following vulnerability in the WAGO e!COCKPIT and WAGO-I/O-Pro.

Emerson Advisory - Emerson published an advisory describing a credential disclosure vulnerability in multiple products. The vulnerability was reported by Dragos.

FANUC Advisory - FANUC published a notice reporting that none of their products are affected by the Log4Shell vulnerability.

Honeywell Advisory #1 - Honeywell published an advisory describing a command injection vulnerability in their IP PTZ Camera HDZP252DI.

Honeywell Advisory #2 - Honeywell published an advisory describing a video replay vulnerability in their IP Camera HBW2PER1.

Philips Advisory - Philips published an advisory discussing the PwnKit vulnerability.

Rockwell Advisory - Rockwell published a notice discussing a problem with the latest Microsoft® DCOM Hardening patch.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-cfc - subscription required. 

Public ICS Disclosures – Week of 12-5-20, Part II

This week we have nine disclosures for products from Schneider. We also have eight vendor updates for products from Siemens (5) and Schneider (3). Finally, we have two researcher reports about vulnerabilities in products from Schneider.

Schneider Advisories

Schneider published an advisory describing a write-what-where condition vulnerability in their EcoStruxure™ Control Expert. The vulnerability was reported by Jared Rittle of Cisco Talos; the report contains proof-of-concept code. Schneider provides generic workarounds pending development of remediation measures.

 

Schneider published an advisory describing an insufficiently protected credentials vulnerability in their EcoStruxure Geo SCADA Expert. The vulnerability is being self-reported. Schneider has updates available that mitigate the vulnerability.

 

Schneider published an advisory describing two vulnerabilities in their Web Server on Modicon M340 communication modules. The vulnerabilities were reported by DongJian Security Lab and the Russian BDU FSTEC (report here). Schneider has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Forced browsing - CVE-2020-7541, and

• Improper check for unusual or exceptional conditions - CVE-2020-7539

 

Schneider published an advisory describing a missing authentication for critical function vulnerability in their Web Server on Modicon M340 communications modules. The vulnerability was reported by DongJian Security Lab. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing a path traversal vulnerability on the Web Server on Modicon M340 communications modules. The vulnerability was reported by Zheng Qiang. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researcher have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Web Server on Modicon M340 communications modules. The vulnerability is being self-reported.

 

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Modicon M340 CPU’s. The vulnerability was reported by the VAPT Team from C3i IITK, India. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing three separate improper check for unusual or exceptional conditions vulnerabilities in their Modicon M580 controllers. The vulnerabilities were reported by Gao Jian of NSFOCUS, Daniel Lubel of OTORIO, Armis Security, Victor Fidalgo Villar of INCIBE-CERT, and Gideon Guo. Schneider has firmware updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their M258 Logic Controllers and SoMachine/SoMachine Motion software. The vulnerability was reported by Kai Feng. Schneider has new versions that mitigate the vulnerability. There is no indication that Kai has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates

Siemens published an update for their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on September 8^th, 2020. The new information include updating information regarding successor products for SIMATIC RF180C and RF182C.

NOTE: NCCIC-ICS updated their advisory for this vulnerability back in September but has not updated for this Siemens update.

 

Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on November 10^th, 2020. The new information includes adding the following new vulnerabilities:

• CVE-2020-25284,

• CVE-2020-25668,

• CVE-2020-25705,

• CVE-2020-27618, and

• CVE-2020-27777

 

Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on September 8^th, 2020. The new information includes updating d information regarding successor products for SIMATIC RF182C and RFID 181EIP.

NOTE: NCCIC-ICS last updated their advisory for this product back in August.

 

Siemens published an update for their advisory that was originally published on September 9^th, 2020 and most recently updated on October 13^th, 2020. The new information includes adding patch links for:

• SIMATIC HMI Basic (2nd generation),

• Comfort (including SIPLUS variants), and

• Mobile Panels

NOTE: NCCIC-ICS published their advisory for these vulnerabilities back in September but has not updated it since.

 

Siemens published an update for their ZombieLoad advisory that was originally published on July 9^th, 2019 and most recently updated on March 10^th, 2020. The new information includes:

• Correcting mitigations for SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP and

• Providing updates for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on November 10^th, 2020. The new information includes adding remediation for:

• SCADAPack 32 RTU,

• XUPH001 OsSense communication module,

• XGCS850C201 OsiSense RFID compact smart antenna,

• ATV340E Altivar Machine Drives,

• ATV630/650/660/680/6A0/6B0 Altivar Process Drives,

• ATV930/950/960/980/9A0/9B0 Altivar Process Drives,

• VW3A3720, VW3A3721 Altivar Process Communication Modules,

• ACE850 Sepam communication interface,

• PowerLogic EGX300 Ethernet Gateway,

• PowerLogic EGX100 Ethernet Gateway, and

• Acti9 Smartlink IP

 

Schneider published an update for their CodeMeter advisory that was originally published on October 13^th, 2020. The new information includes reporting that the CodeMeter V7.10a fix qualification is confirmed for EcoStruxure Machine SCADA Expert.

 

Schneider published an update for their Modicon controllers advisory that was originally published on May 14^th, 2019 and most recently updated on October 18^th, 2020. The new information includes adding a fix for additional attack scenario is available on M340 V3.30 for CVE-2018-7857.

Schneider Reports

Claroty published a report discussing the Modicon M221 PLC vulnerabilities reported Tuesday by Schneider.

Trustwave published a report discussing one of the Modicon M221 PLC vulnerabilities reported Tuesday by Schneider. This report contains proof-of-concept code for the one-way hash vulnerability.