Review - Public ICS Disclosures – Week of 5-21-22 – Part 2

For Part 2 this week, we have four vendor updates from HP, Mitsubishi (2), and VMware. We also have researcher reports for vulnerabilities for products from Intel (3), VMware, and Boeing.

HP Update - HP published an update for their PC BIOS advisory that was originally published on February 28th, 2022 and most recently updated on April 8^th, 2022.

Mitsubishi Update #1 - Mitsubishi published an update for their Factory Automation advisory that was  originally published on July 30^th, 2020 and most recently updated on December 17^th, 2020.

Mitsubishi Update #2 - Mitsubishi published an update for their TCP Protocol Stack advisory that was originally published on September 1^st, 2020 and most recently updated on August 24^th, 2021.

VMware Update - VMware published an update for their Workspace One Access advisory that was originally published on March 18^th, 2022.

Intel Reports - BINARLY published three reports (including proof of concept code) of vulnerabilities in the SMM Driver On Intel Platforms.

VMware Report - Pentera Labs published a report of an incorrect default permission vulnerability (including proof-of-concept code) in the VMware vCenter Server.

Boeing Report - Okay, this one is a bit odd, but Pen Test Partners published a blog post about their recent physical investigation of a recently decommissioned (with all equipment intact) Boeing 747.

 

For more details on these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-3a1 - subscription required.

1 Advisory Published – 12-18-20

Today the CISA NCCIC-ICS published an unusual Friday control system security advisory for products from Treck.

Treck Advisory

This advisory describes four vulnerabilities in the Treck TCP/IP stack. The vulnerabilities were reported by Intel. Treck has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-25066,

• Out-of-bounds write - CVE-2020-27337, and

• Out-of-bounds read - CVE-2020-27338 and CVE-2020-27336

NOTE: These vulnerabilities are in a version where the Ripple20 vulnerabilities had already been corrected. I would suspect that just about everyone that was affected by Ripple20 as a third-party vulnerability will be affected by this.

Public ICS Disclosure – Week of 2-7-20

This week we have eight vendor disclosures for products from Siemens (2), Schneider Electric, Phoenix Contact, HMS, ABB (2) and Moxa. We also have three advisory updates from Siemens and one from Schneider.

Siemens Advisories

Siemens published an advisory describing three vulnerabilities found in Intel chips used in Siemens products. The vulnerabilities were identified and reported (advisory links below) by Intel. Siemens has provided generic workarounds to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Insufficient memory protection (2) - CVE-2019-0151 and CVE-2019-0152; and

• Heap-based buffer overflow - CVE-2019-0169

Siemens published an advisory describing a resource allocation vulnerability in their Profinet-IO stack. The vulnerability was reported by Yuval Ardon and Matan Dobrushin from OTORIO. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Advisory

Schneider Published an advisory describing an uncontrolled search path element vulnerability in their ProSoft Configurator. The vulnerability was reported by Yongjun Liu from nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongiun has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact Advisory

Phoenix Contact has published an advisory [.PDF download link] describing a remote configuration vulnerability in their Emalytics Controllers. The vulnerability was reported by Anil Parmar. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that Parmar has been provided an opportunity to verify the efficacy of the fix.

HMS Advisory

HMS has published an advisory describing a cross-site scripting vulnerability in their Flexy and Cosy products. The vulnerability was reported by Ander Martínez from Titanium Industrial Security. HMS has a new firmware version that mitigates the vulnerability. There is no indication that Martinez has been provided an opportunity to verify the efficacy of the fix.

ABB Advisories

ABB published an advisory describing a direct object reference vulnerability in their Asset Suite product. The vulnerability is self-reported. ABB has a new version that mitigates the vulnerability.

ABB published an advisory describing 14 vulnerabilities in their eSOMS product. The vulnerabilities are self-reported. ABB has a new version that mitigates the vulnerabilities.

Moxa Advisory

Moxa published an advisory describing 8 vulnerabilities in their OnCell cellular gateway. The vulnerabilities were reported by Alexander Zaytsev from Kaspersky Lab. Moxa has new firmware versions that mitigate the vulnerabilities. There is no indication that Zaytsey has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates

Siemens published an update to their  Linux TCP SACK PANIC advisory for Industrial Products that was originally published on September 10^th, 2019 and most recently updated on November 14^th, 2019. The new information includes revised version data and mitigation links for:

• TIM 1531 IRC;

• SIMATIC CP 1242-7, CP 1243-7 LTE (EU andUS versions), CP 1243-1, CP 1243-8 IRC, CP 1543-1, CP 1542SP-1, CP 1542SP1 IRC, CP 1543SP-1; and

• SCALANCE W1700.

NOTE: NCCIC-ICS updated their advisory on February 11^th, but did not list it on their web site.

Siemens published an update for their ZombieLoad advisory that was originally published on July 9^th, 2019 and most recently updated on December 10^th, 2019. The new information includes updated version data and mitigation links for:

• SIMATIC IPC547E;

• SIMATIC IPC347E; and

• SIMATIC IPC3000 SMART V2

Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27^th, 2018 and most recently updated on January 14^th, 2020. The new information includes adding the following new vulnerabilities;

• CVE-2019-5188;

• CVE-2019-11190;

• CVE-2019-19956;

• CVE-2019-20054,

• CVE-2019-20079;

• CVE-2019-20388; and

• CVE-2020-7595

Schneider Update

Schneider published an update for their U.motion Builder advisory that was originally published on April 5^th, 2018. The new information includes an updated remediation section.

Four advisories Published – 02-19-19

Today the DHS NCCIC published four control system security advisories for products from Rockwell Automation, Horner Automation, Delta Industrial and Intel.

Rockwell Advisory

This advisory describes two vulnerabilities in the Rockwell Allen-Bradley PowerMonitor 1000. This vulnerability was reported by Luca Chiou of ACSI. Rockwell is working on mitigation measures. CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass using alternate path or channel - CVE-2019-19616

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploits (here and here) to remotely exploit these vulnerabilities to allow a remote attacker to affect the confidentiality, integrity, and availability of the device.

NOTE: I discussed these vulnerabilities last Saturday.

Horner Advisory

This advisory describes an improper input validation vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by ‘anonymous’ via the Zero Day Initiative (ZDI). Horner has a new version that mitigates the vulnerability. There is no indication that anonymous has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.

Delta Advisory

This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation CNCSoft. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow condition that may allow information disclosure or crash the application.

Intel Advisory

This advisory describes eleven vulnerabilities in the Intel Data Center Manager SDK. The vulnerability was reported by Intel’s Product Security Incident Response Team. Intel has a new version that mitigates the vulnerability.

The eleven reported vulnerabilities are:

• Improper authentication - CVE-2019-0102;

• Protection mechanism failure (4) - CVE-2019-0103, CVE-2019-0104, CVE-2019-0106, and CVE-2019-0107,

• Permission issues (4) - CVE-2019-0105, CVE-2019-0108, CVE-2019-0109, and CVE-2019-0111;

• Key management issues - CVE-2019-0110;

• Insufficient control flow management - CVE-2019-0112

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow escalation of privilege, denial of service, or information disclosure.

ICS-CERT Publishes 4 Advisories and 2 Siemens Updates

Yesterday the DHS ICS-CERT published three control system security advisories for products from Advantech, Intel and Vecna. They published a medical device security advisory for products from Becton, Dickinson and Company (BD). They also updated two control system security advisories previously published for products from Siemens. I have previously reported these two updates (here and here).

Advantech Advisory

This advisory describes three vulnerabilities in the Advantech WebAccess HMI Designer. The vulnerabilities were reported by Steven Seeley of Source Incite thru the Zero Day Initiative. No mitigation measures have yet been provided.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2018-8833;

• Double free - CVE-2018-8835; and

• Out-of-bounds write - CVE-2018-8837

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to remotely execute arbitrary code.

Intel Advisory

This advisory describes a classic buffer overflow vulnerability in the Intel 2G modem products. The vulnerability was reported by Dr. Ralph Phillip Weinmann and Dr. Nico Golde from Comsecuris. Intel is making firmware updates available to device manufacturers that protect systems from this vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The Intel advisory notes that: “The vulnerability affects Intel® 2G Modem products where the Earthquake Tsunami Warning System (ETWS) feature is enabled in Modem firmware.”

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to allow remote code execution.

It will be interesting to see if ICS-CERT provides us a list of the affected vendors as they update their products with the new Intel firmware. Given that this is Intel, I suspect that the list of affected vendors could be extensive.

Vecna Advisory

This advisory describes two vulnerabilities in the Vecna VGo Robot, a mobile robotic assistant. The vulnerability was reported by Dan Regalado from Zingbox. Vecna has released an update that mitigates the vulnerability. There are no indications that Regalado has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• OS command injection - CVE-2018-8866; and

• Clear transmission of sensitive information - CVE-2018-8860

ICS-CERT reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to capture firmware updates through network traffic and could allow remote code execution.

BD Advisory

This advisory describes the KRACK vulnerabilities in the BD BD Pyxis Products. BD is reporting being affected by 9 of the 10 reported KRACK vulnerabilities (not reporting - CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake). BD has implemented third-party vendor patches through BD's routine patch deployment process that resolves these vulnerabilities for most devices. The BD advisory that for three of the affected products coordination with customers is necessary to properly deploy patches and they are contacting the affected customers.

SIMATIC Update

This update provides new information on an advisory that was originally published on March 29^th, 2018. The update provides new affected version information and mitigation measures for SIMATIC BATCH V8.0 and V8.1.

SCALANCE Update

This update provides new information on an advisory that was originally published on November 14^th, 2017 and updated on December 5^th, 2017, December 19^th, 2017 and again on January 25^th, 2018. The update provides new affected version information and mitigation measures for SCALANCE W1750D.

Public ICS Disclosures – Week of 2-24-18

We have two new vendor security advisories this week from Schneider and Siemens. Siemens also published an update to their ultrasound products notice for the WannaCry vulnerability. I mentioned the Siemens advisory and update in passing earlier this week.

Schneider Advisory

This advisory describes 11 vulnerabilities in the Pelco Sarix Professional fixed IP video surveillance cameras. The vulnerabilities were variously reported by Deng Yongkai of NSFOCUS Security Team, Melih Berk Eksioglu of Biznet Bilisim A.S., and Gjoko Krstic of Zero Science Labs. Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities include:

• Information disclosure - CVE-2018-7227;

• Authentication bypass (3) - CVE-2018-7228, CVE-2018-7229, and CVE-2018-7236;

• XML external entity vulnerability - CVE-2018-7230;

• Command execution vulnerability (4) - CVE-2018-7231, CVE-2018-7232, CVE-2018-7233, and CVE-2018-7235;

• Arbitrary file download - CVE-2018-7234; and

• Arbitrary file delete - CVE-2018-7237

ICS-CERT has published some surveillance camera security advisories, but it has been hit and miss. My coverage here has also been hit and miss since I lost (paid) access to the IPVM web site; they are certainly the best information source for vulnerability information (and lots of other information) on video systems. Since Schneider owns Pelco, there will be specific coverage in these weekly posts as appropriate since Schneider publishes a list of advisories as they are issued. That does not mean that other video systems are vulnerability free, just that I have not seen their reports.

Siemens Advisory

This advisory describes 8 vulnerabilities in the Siemens SIMATIC industrial PCs. The vulnerabilities are due to the presence of one or more of three Intel products in the PCs; Intel reported on these vulnerabilities back in November, 2017. Siemens has identified a generic work around for the vulnerabilities and there is no indication that further mitigations are in the works.

The reported vulnerabilities include:

• Buffer overflow (5) - CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5711, and CVE-2017-5712; and

• Privilege escalation (3) - CVE-2017-5708, y CVE-2017-5709, and CVE-2017-5710;

The underlying Intel problems are wide spread and relatively serious. The Siemens advisory does not comment on the Intel mitigation measures (required dual firmware and software updates) nor the Intel detection tool. I wonder if they are still checking to see if those mitigations are compatible with their products or whether they are working on updates that will work with the Intel mitigation measures. It is not like Siemens not to provide this type of information.

Siemens Update

This update describes new mitigation information for the WannaCry vulnerability in the Siemens Healthineers ultrasound products. Technically, this update was included (but certainly not mentioned) in the latest ICS-CERT update of their WannaCry Alert (dated June 13^th, 2017) since the link for this product line automatically takes one to the latest version.

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Siemens (2) and Schneider.

Siemens Viewport Advisory

This advisory describes an improper authentication vulnerability in the Siemens Viewport for Web Office Portal. The vulnerability was reported by Hannes Trunde from Kapsch BusinessCom AG. Siemens has developed a new version that mitigates the vulnerability. There is no indication that Trunde has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to upload and execute arbitrary code. The Siemens security advisory reports that the attacker must have network access to the web server on port 443/TCP or port 80/TCP of the affected product.

Schneider Advisory

This advisory describes a number of vulnerabilities in the Schneider U.motion Builder. The vulnerabilities were reported by rgod via the Zero Day Initiative and were publicly disclosed on 6-12-17 on the ZDI site (ZDI-17-372 thru ZDI-17-392). Schneider has a firmware patch scheduled in August to mitigate these vulnerabilities.

The reported vulnerabilities include (there were 22 vulnerabilities identified on the ZDI site):

• SQL injection - CVE-2017-7973;

• Path Traversal - CVE-2017-7974;

• Improper authentication - CVE-2017-9956;

• Use of hard-coded password - CVE-2017-9957;

• Improper access control - CVE-2017-9958;

• Denial of service - CVE-2017-9959;

• Information exposure through an error message - CVE-2017-9960

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system. The Schneider Security Advisory provides a number of generic mitigation measures that should be employed until the patch is applied.

Siemens SIMATIC Advisory

This advisory describes a permissions, privileges, and access controls vulnerability in various Siemens industrial products. The vulnerability actually exists in the Intel processors used in these products. The vulnerability was reported by Maksim Malyutin from Embedi to Intel. Siemens has produced updates to a number of industrial product PCs and continues to work on the remainder.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain system privileges. The Siemens Security Advisory provides a detailed (2-page) list of vulnerable products.

NOTE: The Intel chipsets are almost certainly used in a wide variety of other ICS related PCs. I would like to assume that Intel has talked to other potentially affected vendors about this issue and that we can expect to see other similar announcements from other vendors.