Public ICS Disclosures – Week of 5-8-21, Part 3

Finally. We have seven vendor notifications from Schneider Electric. We also have six vendor updates for products from Schneider.

Schneider Advisories

Schneider published an advisory describing a weak password recovery mechanism for forgotten password vulnerability in their Modicon Managed Switch. Schneider has a new version that mitigates the vulnerability.

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their Harmony HMI Products. The vulnerability was reported by Jie Chen of NSFOCUS. Schneider has a new version that mitigates the vulnerability. There is no indication that Jie has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing six improper check for unusual or exceptional conditions vulnerabilities in their Triconex Model 3009 Main Processor (MP) and Tricon™ Communication Module (TCM) Models. The vulnerabilities were reported by CNCERT/CC and Kunlun Digital Technology Co. Schneider reports that their engineers will have to fix the affected systems. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing nine vulnerabilities in their homeLYnk and spaceLYnk products. The vulnerabilities were reported by Sharon Brizinov of Claroty. Schneider has new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper privilege management (2) - CVE-2021-22732 and CVE-2021-22733,

• Improper verification of cryptographic signature (2) - CVE-2021-22734 and CVE-2021-22735,

• Path traversal - CVE-2021-22736,

• Insufficiently protected credentials - CVE-2021-22737,

• Use of broken or risky cryptographic program - CVE-2021-22738, and

• Information exposure (2) - CVE-2021-22739 and CVE-2021-22740

Schneider published an advisory describing an improper input validation vulnerability in their Modicon M241 & M251 Logic Controllers. The vulnerability was reported by Marcin Dudek, Kinga Staszkiewicz, Jakub Suchorab, Joanna Walkiewicz from National Centre for Nuclear Research Poland. Schneider has new versions that mitigate the vulnerability. There is no indications that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory discussing six vulnerabilities in a variety of their products. These are third-party (CODESYS) vulnerabilities. Schneider has new versions that mitigate the vulnerabilities.

The six vulnerabilities reported are:

• Buffer overflow - CVE-2020-10245,

• Insufficient verification of data authenticity – CVE-2020-6081

• Cross-site scripting - CVE-2019-13538,

• Incorrect permission assignment for critical resource - CVE-2019-9008,

• Improper input validation - CVE-2019-9009, and

• Uncontrolled resource consumption - CVE-2020-7052,

NOTE: Links to CODESYS advisories. There is no CODESYS advisory listed for CVE-2020-6081 in the NIST database.

Schneider published an advisory describing a use of password hash with insufficient computational effort in their EcoStruxure Geo SCADA Expert products. The vulnerability was reported by Nicholas Hobbs. Schneider has a new version that mitigates the vulnerability. There is no indication that Hobbs has been given an opportunity to verify the efficacy of the fix.

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on April 12^th, 2021. The new information includes adding remediation for ZBRCETH Modbus TCP communication module for ZBRN1 Harmony Hub.

Schneider published an update for their Urgent/11 advisory that was  originally published on August 2^nd, 2019 and most recently updated on October 13^th, 2020. The new information includes updating remediations for Modicon M241 Micro PLC and Modicon M251 Micro PLC.

Schneider published an update for their Modicon Controllers advisory was originally published on March 20^th, 2020 and most recently updated on November 10^th, 2020. The new information includes adding a recommendation for Customers on EcoStruxure™ Control Expert versions prior to V15.0 to upgrade to remediate CVE-2020-7475.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on December 8^th, 2020. The new information includes adding all versions of BMXNOC0401 to the affected products table.

Schneider published an update for their Web Server on Modicon M580 Controllers that was originally published on October 8^th, 2019 and most recently updated on April 15^th, 2021. The new information includes announcing that mitigation measures are now available for CVE-2019-6849 on the BMENOC0311.

Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22^nd, 2018. The new information includes:

• Updating CVSS scores, and

• Adding Modicon M580 and clarification on Modicon M340 affected products 

7 Advisories and 7 Updates Published

Yesterday the DHS NCCIC-ICS published seven control system security advisories for products from Fuji Electric, Hangzhou Xiongmai Technology Co, Siemens (4) and GE. They also updated seven previously issued advisories for products from Siemens.

Fuji Advisory

This advisory describes an uncontrolled search path element advisory in the Fuji Electric Energy Savings Estimator. The vulnerability was reported by Karn Ganeshen. Fuji has released an update that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.

Hangzhou Advisory

This advisory describes three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. The vulnerabilities were reported by Stefan Viehböck of SEC Consult Vulnerability Lab. Hangzhou has not provided mitigations for these vulnerabilities.

The three reported vulnerabilities are:

• Predictable from observable state - CVE-2018-17917;

• Hidden functionality - CVE-2018-17919; and

• Missing encryption of sensitive data - CVE-2018-17915

NCCIC-ICS reports that a relatively low-skilled attacker with remote access could use a publicly available exploit to exploit these vulnerabilities to allow unauthorized access to video feeds with the potential to modify settings, replace firmware, and/or execute code.

SIMATIC S7-1500 Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller. The vulnerability was reported by Marcin Dudek, Jacek Gajewski, Kinga Staszkiewicz, Jakub Suchorab, and Joanna Walkiewicz from National Centre for Nuclear Research Poland. Siemens has updates to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the network stack.

SIMATIC S7-1200 Advisory

This advisory describes a cross-site request forgery vulnerability in the Siemens SIMATIC S7-1200 CPU Family Version 4. The vulnerability was reported by Lisa Fournet and Marl Joos from P3 communications GmbH. Siemens has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow a CSRF attack if an unsuspecting user is tricked into accessing a malicious link.

ROX II Advisory

This advisory describes two improper privilege management vulnerabilities in the Siemens ROX II. The vulnerabilities were reported by Gerard Harney from NCC Group (reported in Siemens advisory not NCCIC-ICS). Siemens has a new version that mitigates the vulnerabilities. There is no indication that Harney has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow valid users to escalate their privileges and execute arbitrary commands.

SCALANCE Advisory

This advisory describes a cryptographic issues vulnerability in the Siemens SCALANCE W1750D. The vulnerability is fully described on the Return of Bleichenbacher's Oracle Threat (ROBOT) web site. Siemens is self-reporting the vulnerability. Siemens has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability using publicly available exploits to allow an attacker to decrypt TLS traffic.

NOTE: I suspect that other ICS devices using TLS services could face similar TLS ROBOT problems. Too bad NCCIC-ICS has not done an alert on this issue. Then again, does NCCIC-ICS do alerts?

GE Advisory

This advisory describes an unsafe ActiveX control marked safe for scripting vulnerability in the GE Gigasoft component of iFix. The vulnerability was reported by LiMingzheng of 360 aegis security team. Recent versions of iFIX mitigate the vulnerability. There is no indication that LiMingzheg has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a buffer overflow condition.

Industrial Products Update

This update provides additional information on an advisory that was that originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 May 15^th, 2018, , and most recently on September 11^th, 2018. The new information includes revised affected versions data and mitigation measures for SIMATIC S7-1200 CPU.

SIMATIC Update

This update provides additional information on an advisory that was originally published on March 20^th, 2018. The new information includes revised affected versions data and mitigation measures for SINUMERIK 828D.

SIMATIC PCS7 Update

This update provides additional information on an advisory that was This update provides new information on an advisory that was originally published on November 2^nd, 2018 and updated on June 12^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• OpenPCS 7 V8.1; and

• SIMATIC WinCC Runtime Professional V13

SIMATIC WinCC Update

This update provides additional information on an advisory that was originally published on April 19^th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA Operatopr App.

SINAMICS Update

This update provides additional information on an advisory that was originally published on May 8^th, 2018. The new information includes revised affected versions data and mitigation measures for SINAMICS GM150 V4.7 w. PROFINET.

SIMATIC Step7 Update

This update provides additional information on an advisory that was originally published on August 14^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC STEP 7 (TIA Portal); and

• WinCC (TIA Portal) V13

OpenSSL Update

This update provides additional information on an advisory that was originally published on August 14^th, 2018 and updated on September 11^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC S7-1200 CPU;

• SIMATIC STEP 7 (TIA Portal) V13; and

• SIMATIC WinCC (TIA Portal) V13