8 Advisories Published – 8-12-20

Yesterday the CISA NCCIC-ICS published eight control system security advisories for products from Siemens (5), Tridium, Schneider, and Yokogawa. There were also 22 updates published but those will be dealt with in a later blog post.

SICAM Advisory

This advisory describes a cross-site scripting vulnerability in the Siemens  SICAM A8000 RTUs. The vulnerability was reported by Emma Good from KTH Royal Institute of Technology. Siemens has a new version that mitigates the vulnerability. There is no indication that Good has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to compromise the confidentiality, integrity, and availability of the web application.

Automation License Advisory

This advisory describes an improper authorization vulnerability in the Siemens Automation License Manager. The vulnerability was reported by Lasse Trolle Borup of Danish Cyber Defense. Siemens has a new version of ALM6 that mitigates the vulnerability. There is no indication that Borup has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to locally escalate privileges and modify files that should be protected against writing.

Desigo Advisory

This advisory describes a code injection vulnerability in the Siemens Desigo CC building management platform. This vulnerability is self-reported. Siemens has patches available that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to gain remote code execution on the server with SYSTEM privileges.

Simatic Advisory

This advisory describes the kr00k vulnerability in the Siemens SIMATIC and SIMOTICS wi-fi services. This is a third-party vulnerability in the Broadcom Wi-Fi client devices with publicly available exploits. Siemens has provided generic workarounds pending development of updates.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read a discrete set of traffic over the air after a Wi-Fi device state change. NCCIC-ICS provides no mention of the publicly available exploits.

SCALANCE Advisory

This advisory describes a classic buffer overflow in the Siemens SCALANCE and RUGGEDCOM products. This is the Linux Point-to-Point Protocol Daemon (pppd) Vulnerability reported in March and proof-of-concept exploit code is available. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthenticated access to a device and cause a buffer overflow to execute custom code. NCCIC-ICS provides no mention of the publicly available exploits.

Tridium Advisory

This advisory describes a synchronous access of remote resource without timeout vulnerability in the Tridium Niagara product. The vulnerability was self-reported. Tridium has updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to result in a denial-of-service condition.

Schneider Advisory

This advisory describes two path traversal vulnerabilities in the Schneider APC Easy UPS On-Line. The vulnerabilities were reported by rgod via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to lead to remote code execution.

NOTE: Schneider also published six other advisories yesterday.

 

Yokogawa Advisory

This advisory describes two vulnerabilities in the Yokogawa CENTUM distributed control system. The vulnerabilities were reported by Nataliya Tlyapova, Ivan Kurnakov, and Positive Technologies. Yokogawa has patches that mitigate the vulnerabilities for products still under support. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2020-5608, and

• Path traversal CVE-2020-5609

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote unauthenticated attacker to send tampered communication packets or create/overwrite any file and run any commands.

NOTE: I briefly discussed these vulnerabilities on August 1^st.

Public ICS Disclosures -Week of 4-4-20

This week we have three vendor disclosures for products from B&R Automation, Moxa and Rockwell Automation. There are also two sets of researcher reports for products from Advantech and Universal Robots.

B&R Advisory

B&R published an advisory describing three vulnerabilities in their Automation Studio. The vulnerabilities were reported by Yehuda Anikster and Amir Preminger from Claroty. B&R has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Privilege escalation – CVE-2019-19100;

• Incomplete communication encryption and validation CVE-2019-19101;

• Zip Slip vulnerability (third-party vulnerability) CVE-2019-19102

Moxa Advisory

Moxa published an advisory on the kr00k vulnerability in their products. They report that none of their products are affected.

NOTE: Negative reports about 3^rd party vulnerabilities are just as important as reporting an active vulnerability in a product.

Rockwell Advisory

Rockwell published an advisory describing a file permission vulnerability in their Current Program Updater software. The vulnerability was reported by Reid Wightman from Dragos. Rockwell has new versions that mitigate the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

NOTE: Rockwell is reporting a 2017 CVE (CVE-2017-5176) for this vulnerability. That vulnerability was reported by ICS-CERT on March 21^st, 2017. If NCCIC-ICS were to pick up this advisory it would probably be as an update to that earlier advisory.

Advantech Reports

The Zero Day Initiative published five related reports (here, here, here, here, and here) for 0-day arbitrary file deletion vulnerabilities in the Advantech WebAccess program. The vulnerabilities were reported by Natnael Samson. ZDI reports that it has reported all five vulnerabilities to Advantech and ICS-CERT (their naming not mine) noting: “The vendor communicated that they will rely on existing measures and will add no amendments to the code.”

Universal Robots Reports

Aliasrobotics published four reports of vulnerabilities for products from Universal Robots. The vulnerabilities were reported by rvd-bot, bedieber and bbreilin. Aliasrobotics reportedly contacted Universal Robots about these vulnerabilities but has received no replies.

The four reported vulnerabilities are (links are to github pages which include proof-of-concept exploit code):

• Missing encryption of sensitive data - CVE-2020-10267;

• Missing authentication for critical function - CVE-2020-10265;

• Insufficient verification of data authenticity - CVE-2020-10266; and

• Exposure of sensitive information to unauthorized actor - CVE-2020-10264

Public ICS Disclosures – Week of 3-28-20

This week we have eight vendor disclosures for products from PEPPERL+FUCHS, ABB (4), B&R Automation, GE Digital and BD and updates for two previous vendor disclosures from 3S.

PEPPERL+FUCHS Advisory

VDE CERT published an advisory describing a time-of-check time-of-use race condition vulnerability in the PEPPERL+FUCHS Tab-Ex 02 mobile device. This is the third party 'Kr00k' vulnerability affecting encrypted WiFi traffic and PEPPERL+FUCHS reports that this is the only device of theirs that is vulnerable. PEPPERL+FUCHS plans on releasing an update to mitigate this vulnerability in May 2020.

NOTE: This vulnerability affects a variety of Broadcom and Cypress chipsets.

ABB Advisories

ABB published an advisory describing two weak file permission vulnerabilities in their System 800xA. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has new versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

ABB published an advisory describing four vulnerabilities in their Telephone Gateway. The vulnerabilities were reported by Maxim Rupp. The product was phased out in 2015 and there are no plans to mitigate the vulnerability.

The four reported vulnerabilities are:

• Improper authentication and access control - CVE-2019-19104;

• Unprotected storage of credentials - CVE-2019-19105;

• Permissions, privileges and access control - CVE-2019-19106; and

• Information exposure - CVE-2019-19107

ABB published an advisory describing a remote code execution vulnerability in their System 800xA information manager. The vulnerability was reported by William Knowles at Applied Risk. An update to mitigate this vulnerability will be included in the next product release.

ABB published an advisory describing a weak registries permission vulnerability in their System 800xA. The vulnerability was reported by William Knowles at Applied Risk. ABB has a new version that mitigates the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

B&R Advisory

B&R published an advisory describing a race condition vulnerability in a variety of their products. This is the third-party vulnerability, the Intel TPM Fail. B&R has bios patches available to mitigate the vulnerability.

GE Advisory

GE published an advisory describing a privilege escalation vulnerability in their CIMPLICITY HMI/SCADA product. The vulnerability was reported by Claroty. GE has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

BD Advisory

BD published an advisory describing three remote code execution vulnerabilities on a variety of BD products. These are third-party Microsoft vulnerabilities in the Remote Desktop services. BD reports that it is currently working to test and validate the Microsoft patch for their products.

The three reported vulnerabilities (links are to MS reports on the vulnerability) are:

• CVE-2020-0609;

• CVE-2020-0610; and

• CVE-2020-0611 

3S Updates

3S published an update [.PDF download link] for an advisory that was originally published on March 25^th, 2020. The new information includes reporting the availability of publicly available proof-of-concept exploit code that I reported last week.

3S published an update [.PDF download link] for an advisory that was originally published on March 25^th, 2020. The new information includes reporting the availability of publicly available proof-of-concept exploit code that I reported last week.

Commentary

There are a lot of ‘third-party’ vulnerabilities being reported this week; all in systems that are likely to be found in products from other vendors. This is especially true when the ‘third-party’ is a major player like Intel or Microsoft.