Today CISA’s NCCIC-ICS published 15 control systems security
advisories for products Siemens (12), JTEKT, Advantech, and Schneider Electric.
One of the Siemens advisories also affects products from Milestone and another
also affects products from PKE.
Milestone Advisory
This advisory
describes a use of hard-coded cryptographic key in the Siemens Siveillance (Milestone)
Video Open Network Bridge (ONVIF). The vulnerability was
reported by Milestone PSIRT. Siemens has a hot fix and Milestone has an
update to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an authenticated remote
attacker to retrieve and decrypt all user credentials stored on the ONVIF
server.
Nucleus Advisory #1
This advisory
describes a use of insufficiently random variables vulnerability in the Siemens
Nucleus DNS module. This is one of the NAME:WRECK
DNS vulnerabilities reported by Forescout and JSOF. Siemens has generic
workarounds to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to poison the
DNS cache or spoof DNS resolving.
SIMOTICS Advisory
This advisory
describes four vulnerabilities in the Siemens SIMOTICS CONNECT 400. The
vulnerabilities were self-reported. These are NAME:WRECK vulnerabilities in the
third-party Mentor DNS Module. Siemens has a new version that mitigates the
vulnerabilities.
The four reported vulnerabilities are:
• Improper null termination - CVE-2020-27736,
• Out-of-bounds read - CVE-2020-27737,
and
• Access of memory location after
end of buffer - CVE-2020-27738 and CVE-2021-25677
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to poison the
DNS cache or spoof DNS resolving.
Tecnomatix Advisory
This advisory
describes an out-of-bounds write in the Siemens Tecnomatix RobotExpert. The
vulnerability was reported by Francis Provencher via the Zero Day Initiative.
Siemens has a new version that mitigates the vulnerability. There is no
indication that Provencher has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow remote code execution.
TIM Advisory
This advisory
describes 14 vulnerabilities in the Siemens TIM 4R-IE. This is a third-party
vulnerability (ntp.d in SNTP). The vulnerabilities are self-reported.
The 14 reported vulnerabilities are:
• Incorrect type conversion or cast
- CVE-2015-5219,
• Improper input validation (4) - CVE-2015-7855 (exploit), CVE-2015-7705, CVE-2015-8138,
and CVE-2016-1547,
• Improper authentication (2) - CVE-2015-7871 and CVE-2016-4953
• Security features - CVE-2015-7973,
• Null pointer dereference - CVE-2015-7977,
• Data processing errors (2) - CVE-2015-7979
and CVE-2016-1548,
• Exposure of sensitive information
to an unauthorized actor - CVE-2016-1550,
and
• Race condition - CVE-2016-4954
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to compromise the confidentiality,
integrity, and availability of the device.
PKE Advisory
This advisory
describes twelve vulnerabilities in the Siemens (and PKE) Control Center Server
(CCS). The vulnerabilities were reported by Raphaël Rigo of Airbus Security Lab.
Siemens (and PKE) has new versions that mitigate the vulnerabilities. There is
no indication that Rigo has been provided an opportunity to verify the efficacy
of the fix.
The 12 reported vulnerabilities are:
• Cleartext storage of sensitive
information in GUI - CVE-2019-13947,
• Improper authentication (2) - CVE-2019-18337
and CVE-2019-18341
• Relative path traversal - CVE-2019-18338,
• Use of a broken or risky cryptographic
algorithm - CVE-2019-18340,
• Exposed dangerous method or
function - CVE-2019-18342,
• Path traversal - CVE-2019-19290,
• Cleartext storage in a file or on
a disk - CVE-2019-19291,
• SQL Injection - CVE-2019-19292,
• Cross-site scripting (2) - CVE-2019-19293
and CVE-2019-19294, and
• Insufficient logging - CVE-2019-19295
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to read and
write arbitrary files and sensitive data and execute commands and arbitrary
code.
NOTE: These vulnerabilities were removed from earlier
Siemens Advisories, SSA-761617
and SSA-844761.
LOGO! Advisory
This advisory
describes two vulnerabilities in the Siemens LOGO! engineering software
products. The vulnerabilities were reported by Mashav Sapir from Claroty.
Siemens provides generic workarounds to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Path traversal - CVE-2020-25243,
and
• Uncontrolled search path element
- CVE-2020-25244
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a local attacker to take over
the system where the software is installed.
NOTE: Someone slipped up on the listing of ‘Equipment’ and ‘Vulnerability’
in the ‘Executive Summary’ section of the advisory.
SINEMA Advisory
This advisory
describes two vulnerabilities in the Siemens SINEMA Remote Connect Server. These
are third-party vulnerabilities (libxml2). Siemens has a new version that
mitigates the vulnerabilities.
The two reported vulnerabilities are:
• Missing release of resource after
effective lifetime - CVE-2019-19956,
and
• Infinite loop - CVE-2020-7595
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to cause a
memory leak or an infinite loop situation resulting in a denial-of-service
condition.
SCALANCE Advisory
This advisory
describes two vulnerabilities in the Siemens Web Server of SCALANCE X200. The
vulnerabilities are self-reported. Siemens has a new version that mitigates the
vulnerabilities.
The two reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2021-25668,
and
• Stack-based buffer overflow - CVE-2021-25669
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to cause a buffer overflow
condition resulting in remote code execution.
Solid Edge Advisory
This advisory
describes five vulnerabilities in the Siemens Solid Edge software tools. The
vulnerabilities were reported by Francis Provencher and rgod via ZDI. Siemens
has updates that mitigate the vulnerabilities. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The five reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-28385,
CVE-2021-25678, CVE-2021-27380,
• Untrusted pointer dereference - CVE-2020-26997,
and
• Stack-based buffer overflow - CVE-2021-27382
NCCIC-ICS reports that an uncharacterized attacker with
uncharacterized access could exploit the vulnerabilities to lead to a crash,
arbitrary code execution, or data extraction on the target host system.
Nucleus Advisory #2
This advisory describes
two infinite loop vulnerabilities in the Siemens Nucleus products. The
vulnerabilities were self-reported. Siemens has a new version for one of the
affected products that mitigates the vulnerabilities.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to cause a denial-of-service
condition.
Nucleus Advisory #3
This advisory
describes two vulnerabilities in the Siemens Nucleus DNS module. These are two
of the NAME:WRECK DNS vulnerabilities reported by Forescout and JSOF. Siemens provides
generic work arounds to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Out-of-bounds write - CVE-2020-15795,
and
• Use of out-of-range pointer
offset - CVE-2020-27009
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow a denial-of-service
condition or for the execution of code remotely.
NOTE: There were two additional Siemens’ advisories published
today that were not covered by NCCIC-ICS. If they are not covered on Thursday,
I will address them on Saturday.
JTEKT Advisory
This advisory
describes an improper resource shutdown or release vulnerability in the JTEKT TOYOPUC
products. The vulnerability was reported by Younes Dragoni from Nozomi Networks.
JTEKT has provided generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an unauthorized user to stop
Ethernet communications between devices from being established.
Advantech Advisory
This advisory
describes an incorrect permission assignment for critical resources in the
Advantech WebAccess/SCADA. The vulnerability was reported by Chizuru Toyama of
TXOne IoT/ICS Security Research Labs of Trend Micro. Advantech has a new
version that mitigates the vulnerability. There is no indication that Toyama
has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to login as an
‘admin’ to fully control the system.
Schneider Advisory
This advisory
describes an improper restriction of XML external entity reference
vulnerability in the Schneider SoMachine Basic products. The vulnerability was reported by Gjoko
Krstikj of Applied Risk. Schneider has a new product that replaces the affected
product and has updated the mitigation measures.
NOTE 1: This is actually based upon an update to a Schneider
advisory that was published on May 22nd, 2018.
NOTE 2: Schneider also published
two advisories and two other updates today. If they are not covered by NCCIC-ICS
on Thursday, I will address them here on Saturday.
Posts
