Review – 4 Advisories Published – 4-16-24

CISA’s NCCIC-ICS published four control system security advisories for products from RoboDK, Rockwell Automation, Electrolink, and Measuresoft.

Advisories

RoboDK Advisory - This advisory describes a heap-based buffer overflow vulnerability in the RoboDK RoboDK robotics development software.

Rockwell Advisory - This advisory describes an improper input validation vulnerability in the Rockwell ControlLogix and GuardLogix programmable logic controllers.

NOTE: The vendor link CISA provides in the advisory goes through an out-of-date Rockwell web portal to a 2023 advisory not associated with this vulnerability. The correct link is https://www.rockwellautomation.com/en-us/support/advisory.SD1666.html

Electrolink Advisory - This advisory describes seven vulnerabilities in the Electrolink transmitters.

Measuresoft Advisory - This advisory describes an improper access control vulnerability in the Measuresoft ScadaPro system.

 

For more information on these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-4-16-24 - subscription required.

Review -1 Advisory and 2 Updates Published – 9-22-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Measuresoft. They also updated two Mitsubishi advisories.

Measuresoft Advisory - This advisory describes an improper access control vulnerability in the Measuresoft ScadaPro Server.

Mitsubishi Update #1 - This update provides additional details on an advisory that was originally published on July 30^th, 2020 and most recently updated on July 28^th, 2022.

Mitsubishi Update #2 - This update provides additional details on an advisory that was originally published on September 1^st, 2020 and most recently updated on May 31^st, 2022.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-284 - subscription required.

Two DHS ICS-CERT Advisories

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two advisories for control system vulnerabilities identified in Measuresoft’s SCADAPRO and the xArrow Software HMI system. Alert readers will note that the xArrow Advisory is an update from an earlier xArrow Alert.

Measuresoft Advisory

Measuresoft is an Irish SCADA manufacturer and this advisory is based upon an uncontrolled search path element vulnerability (DLL hijack) reported by Carlos Mario Penagos Hollmann in a coordinated disclosure. The vulnerability could be remotely exploited by a moderately skilled attacker; possibly resulting in execution of arbitrary code.

Measuresoft has produced upgrades for both its ScadaPro Server and Client. According to the Advisory Hollmann has verified that the upgrades appropriately mitigate the vulnerability.

xArrow Advisory

xArrow Software is a Chinese software development firm. The four vulnerabilities were identified in their HMI by Luigi back in March and reported in an uncoordinated disclosure. The vulnerabilities listed are:

• Null pointer de-reference;

• Heap-based buffer overflow;

• Out-of-bounds read; and

• Improper restriction of operations within the bounds of the memory buffer.

The Advisory states that; “No known exploits specifically target these vulnerabilities.” This contradicts what ICS-CERT said in their original Alert and Luigi is well known for having exploit code on his web site (and it looks like exploit code to me for this disclosure). This is probably one of those formatting mistakes (using a canned format for the Advisory) rather than a deliberate misstatement on the part of ICS-CERT.

Missed Alert and Advisory

I did not report on an alert and an advisory published by ICS-CERT last week. The alert was for another Luigi uncoordinated disclosure for multiple (4) vulnerabilities in the Pro-Face Pro-Server SCADA/HMI product. The advisory was a follow-up to an earlier alert about a buffer overflow vulnerability in the Advantech Studio, an automation tool used to develop HMI and SCADA systems. There is no telling what sytems Studio has been used to develop of if any have been compromised through this vulnerability.