Review – Public ICS Disclosures – Week of 11-19-22

This week we have twenty-one vendor disclosures from ABB, Aruba Networks, Belden (3), Bosch, B&R, HPE (2), Johnson and Johnson, Miele, Mitsubishi (2), Moxa (2), Omron, PcVue, Pilz (3), Unified Automation. We have two vendor updates from Mitsubishi and Schneider. Finally, we have three researcher reports of vulnerabilities in products from Callback Technologies.

Vendor Advisories

ABB Advisory - ABB published an advisory that discusses seven vulnerabilities (two with known exploits) in their ARM600 M2M Gateway.

Aruba Advisory - Aruba published an advisory that describes thirteen vulnerabilities in their EdgeConnect Enterprise product.

Belden Advisory #1 - Belden published an advisory that describes 23 vulnerabilities in their Hirschmann BAT-C2 product.

Belden Advisory #2 - Belden published an advisory that discusses an infinite loop vulnerability (with known exploit) in their Hirschmann HiLCOS products.

Belden Advisory #3 - Belden published an advisory that describes a command injection vulnerability in their Hirschmann BAT-C2.

Bosch Advisory - Bosch published an advisory that discusses 67 vulnerabilities (some with known exploits) in their PRA-ES8P2S Ethernet-Switch.

B&R Advisory - B&R published an advisory that discusses a link following vulnerability in a variety of their products.

HPE Advisory #1 - HPE published an advisory that discusses an information disclosure vulnerability in their IceWall Products.

HPE Advisory #2 - HPE published an advisory that describes four code execution vulnerabilities in their Cloudline CL2100/CL2200 Gen10 Servers.

J&J Advisory - J&J published an advisory that discusses the PrintNightmare vulnerability in their CARTO® 3 System.

Miele Advisory - CERT-VDE published an advisory that describes an authorization bypass through user-controlled key vulnerability in the Miele.

Mitsubishi Advisory #1 - Mitsubishi published an advisory that describes ten vulnerabilities in multiple FA Engineering Software products.

Mitsubishi Advisory #2 - Mitsubishi published an advisory that describes a denial-of-service vulnerability in their GOT2000 Series.

Moxa Advisory #1 - Moxa published an advisory that describes two vulnerabilities in multiple router products.

Moxa Advisory #2 - Moxa published an advisory that describes a privilege escalation vulnerability in their TN-5916 Series routers.

Omron Advisory - JP Cert published an advisory that describes three vulnerabilities in the Omron CX-Programmer.

PcVue Advisory - PcVue published an advisory that describes a clear-text storage of sensitive information vulnerability in PcVue product.

Pilz Advisory #1 - Pilz published an advisory that describes a path traversal vulnerability in several Pilz products.

Pilz Advisory #2 - Pilz published an advisory that describes two vulnerabilities (one with known exploit) in their PASvisu HMI solution.

Pilz Advisory #3 - Pilz published an advisory that describes two path traversal vulnerabilities (one with known exploit) in several Pilz products.

Unified Automation - Unified Automation published an advisory that discusses an incorrect permission assignment for critical resource vulnerability in their OPC UA SDK.

Vendor Updates

Mitsubishi Update - Mitsubishi published an update for their Ethernet Port advisory that was originally published on November 30^th, 2021 and most recently updated on July 26^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-334-02) for this new information, almost certainly because of the Thanksgiving holiday. I expect we will see that update this coming week.

Schneider Update - Schneider published an update for their APC Smart UPS advisory that was originally published on March 8^th, 2022 and most recently updated on August 19^th, 2022.

Researcher Reports

Callback Report #1 - Talos published a report describing a NULL pointer dereference vulnerability in the Callback CBFS Filter.

Callback Report #2 - Talos published a report describing a NULL pointer dereference vulnerability in the Callback CBFS Filter.

Callback Report #3 - Talos published a report describing a NULL pointer dereference vulnerability in the Callback CBFS Filter.

 

For more details on these disclosures, including links to third-party reports, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-6d2 - subscription required.

Public ICS Disclosures – Week of 7-4-20

This week we have three new Ripple20 advisories and one update. We have two additional vendor disclosures for products from Moxa and GE.

Ripple20 Advisories and Updates

HMS published a Ripple20 advisory which provides a list of HMS products which are not affected by the vulnerabilities.

CERT-VDE published a Ripple20 advisory for the MIELE Communication Module XKM3000 L MED. It provides information on affected equipment and announces that: “A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.”

Draeger published a Ripple20 advisory announcing that Draeger medical devices are not affected.

Braun published a Ripple20 update that lists their Outlook 400ES infusion pump as their only affected product and that they are continuing to review Treck patches for applicability.

Moxa Advisory

Moxa has published an advisory describing two vulnerabilities in their MGate 5105-MB-EIP Series Protocol Gateways. The vulnerabilities were reported by Philippe Lin, Marco Balduzzi, Luca Bongiorni, Ryan Flores, Charles Perine, and Rainer Vosseler via the Zero Day Initiative. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2020-15494, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15493

GE Advisory

GE has published an advisory describing the third-party Ghostcat vulnerability in their APM Connect UDLP 2.8 and earlier products relying upon Apache Tomcat servers. GE provides detailed mitigation measures.

NOTE: As with all third-party vulnerabilities, there is a potential for other ICS vendors to be affected by the same problem.

Public ICS Disclosure – Week of 05-18-19

This week we have three vendor disclosures from Eaton, Bosch and Miele. There is also one exploit report for products from Anvis. I also found more vendor information on the Microsoft® RDP  vulnerability.

Microsoft RDP Vulnerability

While the NCCIC-ICS has only released a very generic notice on the Microsoft® RDP vulnerability (CVE-2019-0708), a number of control system vendors this week have released their own outlook on the vulnerability in their products. The vendors include:

• Rockwell;

• Johnson & Johnson;

• Philips (update); and

• Siemens Healthineers:

◦ Advanced Therapy Products;

◦ Healthineers Software Products;

◦ Radiation Oncology Products;

◦ Laboratory Diagnostics Products;

◦ Radiography and Mobile X-ray Products; and

◦ Point of Care Diagnostics Products

With the number of medical device manufacturers reporting on the RDP vulnerability and the healthcare industry’s history of problems with WannaCry you would think that the FDA would have issued at least a generic warning on the issue; but no, there is nothing on the medical device safety page.

Eaton Advisory

Eaton published an advisory reporting an undescribed vulnerability in the Eaton easySoft V6. Eaton is working on a new version to mitigate the vulnerability and offers generic workarounds in the mean time.

NOTE: This has to be the worst corporate vulnerability disclosure ever. Oh well, at least an advisory was published.

Bosch Advisory

Bosch has published an advisory describing an unauthenticated certificate access vulnerability in the Bosch Video Recording Manager (VRM) software. Bosch has firmware updates that mitigate the vulnerability.

Miele Advisory

CERT-VDE has published an advisory describing two vulnerabilities in the Miele XGW 3000 ZigBee Gateway. The vulnerability was reported by Maxim Rupp. Miele has a new version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization; and

• Cross-site request forgery

Anvis Exploit

Wizlab-IT published an exploit for security issues with the Anvis M3 RFID Access Control product. This was a coordinated disclosure and Anvis has a new version of the device that mitigates the vulnerability.

NOTE: So all of the vulnerable devices will be replaced?????

ICS-CERT Publishes 2 Schneider Advisories and Medical IOT Alert

Today the DHS ICS-CERT published two control system advisories for products from Schneider Electric. They also published a medical control system alert for a medical lab device from Miele.

Modicon Advisory

This advisory describes multiple vulnerabilities in the Schneider Modicon PLCs. The vulnerabilities were reported by David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc. Schneider has produced new firmware versions to mitigate two of the vulnerabilities and work arounds for the remaining vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Predictable value range from previous values - CVE-2017-6030;

• Use of insufficiently random values - CVE-2017-6026; and

• Insufficiently protected credentials - CVE-2017-6028

ICS-CER reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to spoof or disrupt Transmission Control Protocol (TCP) connections, sniff sensitive account information, and gain unauthorized access to a current web session.

Schneider has taken the unusual move of publishing separate Security Notification documents for each vulnerability (here, here, and here).

Wonderware Advisory

This advisory describes multiple vulnerabilities in the Schneider Wonderware InTouch Access Anywhere. The vulnerabilities were reported by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team. Schneider has produced a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-Site Request Forgery - CVE-2017-5156;

• Information Exposure - CVE-2017-5158; and

• Inadequate Encryption Strength - CVE-2017-5160

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to perform actions on behalf of a legitimate user, perform network reconnaissance, and gain access to resources beyond those intended with normal operation of the product.

The Schneider Security Bulletin reports a fourth vulnerability; Ability to escape out of remote InTouch applications and launch other processes. No CWE information is provided for the fourth vulnerability. Schneider also reports that the researchers have verified the efficacy of the fix.

Miele Alert

This alert describes a publicly reported path traversal vulnerability in the Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings. ICS-CERT does report that Jens Regel publicly disclosed this vulnerability without providing a link to the disclosure on the Full Disclosure web site.

The Miele press release on this vulnerability minimizes the criticality of the problem (perhaps legitimately so). What is more interesting is their comment on their failure to respond to Regel’s attempt at responsible disclosure:

“The technical aspects in this case are entirely separate from the fact that the Miele company failed to respond to several notifications regarding this issue. Executive Directors view this as a serious shortcoming, the details of which have already been investigated in depth with a view to preventing any repeat occurrence in future. They stress that they would like to thank Jens Regel, the source of this evidence, for his information – and for his perseverance.”

While the initial disclosure response was deficient, this certainly reflects a more helpful attitude of the upper management of the company.