Public ICS Disclosures – Week of 4-24-21

This week we three vendor NAME:WRECK disclosures from Boston Scientific, Braun, and Rockwell. We also have 14 vendor disclosures from Beckhoff, Bosch (2), B&R Industrial Automation, MB connect, CODESYS (5), Moxa, ODA, and Texas Instruments (2). We have five researcher reports for products from Advantech (4) and Siemens. Finally, we have exploits for products from OpenPLC and VMWare.

NAME:WRECK Advisories

Boston Scientific published an advisory discussing the NAME:WRECK vulnerabilities, announcing that they are investigating to see if any of their products are affected.

Braun published an advisory discussing the NAME:WRECK vulnerabilities, announcing that none of their ‘connected devices’ are affected.

Rockwell published an advisory discussing the NAME:WRECK vulnerabilities, providing a list of affected products and fixed versions.

Beckhoff Advisory

Beckhoff published an advisory describing an improper input validation vulnerability in their TwinCAT OPC UA Server and IPC Diagnostics UA Server. The vulnerability was reported by Industrial Control Security Laboratory of QI-ANXIN Technology Group. Beckhoff has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Bosch Advisories

Bosch published an advisory describing seven vulnerabilities in their ctrlX CORE - IDE App. These are third-party (OpenSSL and Python) vulnerabilities. The next version of the product will mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• Improper encoding or escaping of output - CVE-2020-26116 (exploit),

• Inadequate information (NIST ?) - CVE-2020-27619,

• HTTP request smuggling - CVE-2021-23336 (exploit),

• Integer overflow or wraparound - CVE-2021-23840, CVE-2021-23841,

• Classic buffer overflow - CVE-2021-3177 (exploit), and

• NULL pointer dereference - CVE-2021-3449

Bosch published an advisory describing an FTP backdoor in their Rexroth Fieldbus Couplers. Bosch provides generic workarounds.

B&R Advisory

B&R published an advisory describing an uncontrolled resource consumption vulnerability in their  I/O system and HMI components. This is a third-party (Siemens) vulnerability. B&R provides generic workarounds.

MB Advisory

CERT-VDE published an advisory discussing the DNSpooq vulnerabilities in the MB connect mbNET products. MB connect has new versions that mitigate the vulnerabilities.

CODESYS Advisories

CODESYS published an advisory [.PDF download link] describing a cross-site request forgery vulnerability in their CODESYS Automation Server. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing a NULL pointer dereference vulnerability in their CODESYS V3 products containing the CmpGateway. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing an insufficient verification of data authenticity vulnerability in their Development System V3. The vulnerability was reported by an OEM customer. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing describing an insufficient verification of data authenticity vulnerability in their Development System V3. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing an improper input validation vulnerability in their V3 products and Control V3 Runtime System Toolkit. The vulnerability was reported by Alexander Nochvay from Kaspersky Lab ICS CERT. CODESYS has a new version that mitigates the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

Moxa Advisory

Moxa published an advisory describing four vulnerabilities in their NPort IA5000A Series Serial Device Servers. The vulnerability was reported by Alexander Nochvay from Kaspersky Lab ICS CERT. Moxa has a new version to mitigate one of the vulnerabilities and workarounds for the others. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities:

• Improper access control - CVE-2020-27149,

• Unprotected storage of credentials - CVE-2020-27150,

• Cleartext transmission of sensitive information (2) - CVE-2020-27184 and CVE-2020-27185

ODA Advisory

ODA published an advisory describing an out-of-bounds write vulnerability in their Open Design Alliance Drawings SDK. ODA has a new version that mitigates the vulnerability.

NOTE: This is a very minimalist advisory.

TI Advisories

TI published an advisory discussing the BadAlloc vulnerabilities in their SimpleLink™ CC13XX, CC26XX, CC32XX and MSP432E4 products. TI provides generic work arounds for these vulnerabilities.

TI published an advisory describing an integer overflow vulnerability in their Networks Developers Kit. The vulnerability was reported by Omri Ben Bassat and David Atch of Microsoft. The product is no longer supported.

Advantech Report

The Zero Day Initiative published four reports for vulnerabilities in the Advantech WebAccess/HMI Designer products. The vulnerabilities were reported by kimiya and have been coordinated with NCCIC-ICS and an advisory from them is pending.

The four reported vulnerabilities are:

• Heap-based buffer overflow - ZDI-21-490 and ZDI-21-487,

• File parsing memory corruption- ZDI-21-489, and

• Out-of-bounds write - ZDI-21-488,

Siemens Report

ZDI published a report describing an information validation vulnerability in the Siemens JT2Go product. The vulnerability was reported by Michael DePlante. ZDI has been coordinating with NCCIC-ICS since last September.

OpenPLC Exploit

Fellipe Oliveira published an exploit for a remote code execution vulnerability in the OpenPLC product. There is no CVE provided and no indications of coordination with the vendor. This may be a 0-day vulnerability.

VMware Exploit

Egor Dimitrenko published a Metasploit module for two vulnerabilities in the VMware vRealize Operations Manager. The vulnerabilities were reported by VMware on March 31^st, 2021.

The two exploited vulnerabilities are:

• Server-side request forgery - CVE-2021-21975, and

• Arbitrary file write - CVE-2021-21983

4 Advisories Published – 4-29-21

Today, CISA’s NCCIC-ICS published control system security advisories for products from multiple RTOS vendors, Johnson Controls, Cassia Networks, and Texas Instruments.

RTOS Advisory

This advisory describes 23 [corrected typo '13' to '23', 4-30-21 0853 EDT] different integer overflow or wraparound vulnerabilities in multiple real-time operating systems (RTOS). The vulnerabilities were discovered by Microsoft’s Section 52, the Azure Defender for IoT security research group and are collectively named BadAlloc. The advisory provides links to updated versions for most of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in unexpected behavior such as a crash or a remote code injection/execution.

NOTE: NCCIC-ICS has updated their remote access – VPN guidance:

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.”

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in Johnson Controls exacqVision Network Video Recorder running on unpatched versions of the Ubuntu operating system. This is a third-party (Sudo) vulnerability and there are exploits reported (here, here, and here for example). Johnson Controls recommends updating the Ubuntu operating systems to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability to  obtain “Super User” access to the underlying Ubuntu Linux operating system.

Cassia Advisory

This advisory describes a path traversal vulnerability for the Cassia Networks Access Controller. The vulnerability was reported by Amir Preminger and Sharon Brizinov of Claroty. Cassia has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read any file from the Access Controller server.

TI Advisory

This advisory describes five vulnerabilities in the Texas Instruments SimpleLink Wi-Fi products. The vulnerabilities were reported by David Atch and Omri Ben Bassat from Microsoft. TI has software versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Integer overflow or wraparound (4) - CVE-2021-22677, CVE-2021-22675, CVE-2021-22679, and CVE-2021-22671, and

• Stack-based buffer overflow - CVE-2021-22673

Public ICS Disclosures – Week of 2-20-21

This week we have six vendor disclosures from Advantech, Aruba Networks (2), Bosch, Carestream, and VMware. We have researcher a report for products from Secomea (and B&R automation). Finally, there are two remote access exploits for products from ASUS and

Advantech Advisory

Advantech published an advisory discussing the DNSpooq vulnerabilities in their industrial cellular routers. Advantech notes that their routers are only vulnerable to the three ‘cache poisoning’ vulnerabilities. Advantech has new firmware that mitigates the vulnerabilities.

Aruba Advisories

Aruba published an advisory discussing the DNSpooq vulnerabilities in their products. Aruba reports that their products are only vulnerable to the three ‘cache poisoning’ vulnerabilities. Aruba will update the dnsmasq in “future routine maintenance patches”.

 

Aruba published an advisory describing twelve vulnerabilities in their AirWave Management Platform. The vulnerabilities were reported by multiple researchers via the BugCrowd platform. Aruba has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Cross-site request forgery (2) - CVE-2021-29960 and CVE-2021-29961,

• Command injection (2) - CVE-2021-29962 and CVE-2021-29963,

• Improper access control - CVE-2021-29964,

• SQL injection (2) - CVE-2021-29965 and CVE-2021-29966,

• Reflected cross-site scripting - CVE-2021-29967,

• Authenticated stored cross-site scripting - CVE-2021-29968,

• Authenticated XML external entity - CVE-2021-29969, and

• Authenticated remote command injection (2) - (CVE-2021-29970 and CVE-2021-29971

Bosch Advisory

Bosch published an advisory describing three vulnerabilities in their ctrlX CORE and the IoT Gateway. These are third-party (Linux kernel and sudo) vulnerabilities. Bosch reports that the next updates for the affected products would include updates for both the kernel and sudo.

The three reported vulnerabilities are:

• Improper locking and use after free - CVE-2020-29661,

• Out-of-bounds write - CVE-2021-3156 (multiple exploits publicly available), and

• Use after free - CVE-2021-3347 (exploit publicly available)

Carestream Advisory

Carestream published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in a number of their products. This is a third-party (Chrome) vulnerability. Carestream reports that Chrome will be updated with the next software release for most of the affected products. This vulnerability has been exploited in the wild, but not yet in Carestream products.

VMware Advisory

VMware published an advisory describing three vulnerabilities in their VMware ESXi and vCenter Server. The vulnerabilities were reported by Mikhail Klyuchnikov of Positive Technologies, and Lucas Leong via the Zero Day Initiative. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Remote code execution - CVE-2021-21972,

• Heap-based buffer overflow - CVE-2021-21974,

• Server-side request forgery - CVE-2021-21973

Tenable has published a report on the vulnerabilities noting that these vulnerabilities have been exploited in the wild. NebulabdSec has published proof-of-concept code for the RCE vulnerability.

Secomea Report

Tenable published a report (including proof-of-concept code) describing three vulnerabilities in the Secomea GateManager (also applies to B&R GateManager). The report was coordinated with both Secomea and B&R; Secomea has a new version that mitigates the vulnerability. B&R’s response is pending.

The three reported vulnerabilities include:

• Reflected cross-site scripting - CVE-2020-29028,

• Authentication token exposed in URL path - CVE-2020-29030, and

• Authenticated malicious firmware upload - CVE-2020-29029

NOTE: This is likely to be a third-party vulnerability in products from vendors other than B&R.

Remote Access Exploits

H4rk3nz0 published an exploit for a remote code execution vulnerability in the ASUS Remote Link. There is no CVE# listed and no indication that ASUS had been contacted. This may be a 0-day exploit.

MATTHEW DUNN published a Metasploit module for an authentication timing vulnerability for Remote Desktop Web Access. The is no CVE# and no indication that Microsoft has been contacted. This may be a 0-day exploit.

4 Advisories Published – 11-17-20

Today the CISA NCCIC-ICS published four control system security advisories for products from Schneider Electric, Real Time Automation, Paradox, and Johnson Controls.

Schneider Advisory

This advisory describes nine vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer (4) - CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, and CVE-2020-7554,

• Out-of-bounds write (4) - CVE-2020-7553, CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and

• Out-of-bounds read - CVE-2020-7557

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to result in remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

Real Time Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Real Time Automation (RTA) 499ES EtherNet/IP (ENIP) Adaptor Source Code. The vulnerability was reported by Sharon Brizinov of Claroty. According to the Claroty report, RTA has a version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition, and a buffer overflow may allow remote code execution.

Claroty reports that a number of vendors appear to be using the vulnerable RTA ENIP stack.

Paradox Advisory

This advisory describes two vulnerabilities in the Paradox IP150 internet module. The vulnerabilities were reported by Omri Ben-Bassat of Microsoft. NCCIC-ICS provides an email address to contact Paradox for mitigation information.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-25189 (3 separate overflows under this CVE#), and

• Classic buffer overflow -CVE-2020-25185 (9 separate overflows under this CVE#)

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to remotely execute arbitrary code, which may result in the termination of the physical security system.

Johnson Controls Advisory

This advisory describes an improper authorization vulnerability in the Johnson Controls (Sensormatic Electronics) American Dynamics victor Web Client,  and Software House C•CURE Web Client. The vulnerability was reported by Joachim Kerschbaumer. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kershcbaumer has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an unauthenticated attacker on the network to create and sign their own JSON web token and use it to execute an HTTP API method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a denial-of-service attack.

Public ICS Disclosures – Week of 9-26-20

This week we have ten vendor disclosures for products from WAGO (3), IBM, Bosch, B&R Automation (2), Moxa, BD, and Philips.

WAGO Advisories

CERT-VDE published an advisory describing an improper authentication and authorization vulnerability in the WAGO 750-8XX series PLCs. The vulnerability was reported by Maxim Rupp. WAGO has new firmware versions that mitigate the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

CERT-VDE published an advisory describing an improper authentication and access control vulnerability in the WAGO 750-36X and WAGO 750-8XX series PLCs. The vulnerability was reported by Maxim Rupp. WAGO has new firmware versions that mitigate the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

CERT-VDE published an advisory describing an improper neutralization of input during web page generation vulnerability in the Web-UI for WAGO 750-88X and WAGO 750-89X series PLCs. This vulnerability was reported by Secuninja. WAGO has new firmware versions that mitigate the vulnerability. There is no indication that Secuninja has been provided an opportunity to verify the efficacy of the fix.

IBM Advisory

IBM published an advisory describing an authentication bypass vulnerability in their Maximo Asset Management product. The vulnerability is being self-reported. IBM has updates that mitigate the vulnerability.

Bosch Advisory

Bosch published an advisory describing three vulnerabilities in their PRAESIDEO Network Controller and the PRAESENSA System Controller products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Bosch has software updates for the supported products that mitigate the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2020-6777,

• Cross-site request forgery - CVE-2020-6776, and

• Nonce reuse attack - CVE-2020-15688

NOTE: The last is a third-party vulnerability (GoAhead web server).

B&R Advisories

B&R published an advisory describing four vulnerabilities in their GateManager product. These vulnerabilities were reported by NCCIC-ICS on July 28^th as being for the Secomea GateManager.

B&R published an advisory describing six vulnerabilities in their SiteManager and GateManager procucts. These vulnerabilities were reported by NCCIC-ICS last Tuesday, but the B&R advisory was not available when I published my blog post. It is not clear if the Secomea versions of these products are also affected by these vulnerabilities.

Moxa Advisory

Moxa published an advisory describing a device information leak vulnerability in their EDR-810 Series Industrial Secure Routers. The vulnerability was reported by the National Security Agency (yep, that is what the advisory says). Moxa has provided generic workarounds to mitigate the vulnerability.

BD Advisory

BD published an advisory describing a remote code execution vulnerability (CVE-2020-1147) in a third-party component (Microsoft) of a long list of their products. BD is working on testing and validation of the Microsoft patch.

Philips Advisory

Philips published an advisory describing a privilege elevation vulnerability (CVE-220-1472) in a third-party component (Microsoft) of an undisclosed number of Philips products. No mitigation information has been provided.

Public ICS Disclosures – Week of 5-16-20

This week we have two vendor disclosures for products from HMS and BD. There is also a researcher report on previously disclosed vulnerabilities from OSIsoft.

HMS Advisory

HMS published an advisory describing a certificate verification vulnerability in their eCatcher product. The vulnerability was reported by TÜV Rheinland. HMS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

BD Advisory

BD published an advisory describing two Windows Adobe Type Manager Library vulnerabilities in various BD products. BD is currently working to test and validate the appropriate Microsoft patch for these vulnerabilities.

OSIsoft Report

Applied Risk published a report on vulnerabilities in the OSIsoft PI System. These vulnerabilities were previously disclosed by NCCIC-ICS. This report provides links to the OSIsoft report on the vulnerabilities, but that report is behind a customer registration wall.

ICS-CERT Publishes an Update, an Advisory and an Alert

Yesterday the DHS ICS-CERT published an update for a Siemens advisory, a new advisory for an Advantech product line, and an alert for a Microsoft vulnerability.

Siemens Update

This update is for an WinCC advisory that was originally published last November. This update provides notification that the last affected system (WinCC 7.0 SP 3) now has an update available to mitigate the vulnerability. Siemens published their update last week.

Advantech Advisory

This advisory describes a buffer overflow vulnerability in the Advantech EKI-1200 MODBUS Gateway product line. The vulnerability was originally reported by Enrique Nissim and Pablo Lorenzzato of the Core Security Engineering Team in a coordinated disclosure. ICS-CERT reports that Advantech has a patch that mitigates the vulnerability but there is no indication that the researchers have validated that fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code.

Microsoft Alert

This alert describes a critical security update for the Microsoft Windows operating systems. The JASBUG vulnerability was first reported by four different researchers, including Jeff Schmidt at Global Advisors. Microsoft has produced an update that mitigates the vulnerability, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the update.

ICS-CERT reports that an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

ICS-CERT notes that just processing the update does not fix the vulnerability. Additional actions need to be taken by the system administrator before the fix actually mitigates the vulnerability.

ICS-CERT Publishes Three Advisories – Two for Siemens

Yesterday afternoon DHS ICS-CERT published three advisories; one about a recent coordinated disclosure and two about old vulnerabilities identified by the vendor. The new one concerns a single vulnerability in a variety of Invensys systems. Both of the older problems deal with Siemens systems. Oh, and remember this for later the new Advisory and one of the old ones deal with dll vulnerabilities.

Invensys Advisory

This advisory deals with an uncontrolled search path element vulnerability (otherwise known as a dll hijack) in a variety of products in the Wonderware System platform family. The vulnerability was discovered by Carlos Mario Penagos Hollmann. The advisory was first posted on the US-CERT secure portal on July 5^th.

A moderately skilled attacker could exploit this vulnerability and place a malicious dll in the system. To exploit this vulnerability the attacker must have physical access to the system or be able to manipulate a user with access to the system.

Invensys has developed a patch for the affected systems which is available on the Wonderware web site.

Siemens Advisories

Siemens self-reported two vulnerabilities that are being addressed in separate advisories. The first is an insecure SQL server vulnerability and the second is dll loading mechanism vulnerability. As if self-reporting is not odd enough (to be encouraged to be sure, but odd), the first vulnerability was patched in 2010 (update V5.5 SP1) and the second in 2011 (update V7.0 SP 2 Update 1).  Both vulnerabilities can be remotely exploited and there are publicly available exploits available for both.

No word about why Siemens wanted these vulnerabilities made public at this late date. It does seem obvious that they are the ones responsible for ICS-CERT publishing these now, but for the life of me I can’t figure out why.

MS DLL Advisory

I’m not sure if Chris Jager knew about the two dll vulnerabilities being reported by ICS-CERT, but in a Tweet this afternoon he pointed us at a Microsoft Security Advisory from earlier this month (actually updated the 17^th time earlier this month) about insecure library loading. It discusses the type of dll injection attacks covered in the two advisories published today. It notes that MS has provided guidance to software developers “on how to correctly use the available application programming interfaces to prevent this class of vulnerability”.

More importantly for system owners “Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications”. While this is not a control system specific tool, the fact that this vulnerability has been found in so many ICS systems might make it an important tool that should be in the ICS security tool box.

It might be a good idea for ICS-CERT to partner with Microsoft on making this tool specifically available to ICS owners.