4 Advisories Published – 9-10-20

Today the CISA NCCIC-ICS published three control system and one medical device security advisories for products from HMS Network, FATEK Automation, AVEVA, and Philips.

HMS Advisory

This advisory describes a permissive cross-domain policy with untrusted domains vulnerability in the HMS Ewon Flexy and Cosy products. The vulnerability was reported by Parth Srivastava of Protiviti India Member Private Limited. HMS has updated firmware that mitigates the vulnerability. There is no indication that Srivastava has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow attackers to retrieve limited confidential information.

FATEK Advisory

This advisory describes a stack-based buffer overflow vulnerability in the FATEK PLC WinProladder. The vulnerability was reported by Natnael Samson via the Zero Day Initiative. FATEK has not responded to NCCIC-ICS about this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed; a buffer overflow condition may cause a denial-of-service event and remote code execution.

AVEVA Advisory

This advisory describes an SQL injection vulnerability in the AVEVA Enterprise Data Management Web. The vulnerability was reported by Yuri Kramarz of Cisco Talos. AVEVA has an upgrade that mitigates the vulnerability. The AVEVA advisory notes that Kramzrz has verified the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote attacker to execute arbitrary SQL commands on the affected device.

Philips Advisory

This advisory describes eight vulnerabilities in the Philips  Patient Information Center iX (PICiX); PerformanceBridge Focal Point; IntelliVue Patient Monitor products. The vulnerabilities were reported by Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH via BSI. Philips plans on releasing updates over the next year.

The eight reported vulnerabilities are:

• Improper neutralization of formula elements in a CSV file - CVE-2020-16214,

• Cross-site scripting - CVE-2020-16218,

• Improper authentication - CVE-2020-16222,

• Improper check for certificate revocation - CVE-2020-16228,

• Improper handling of length parameter inconsistency - CVE-2020-16224,

• Improper validation of syntactic correctness of input - CVE-2020-16220,

• Improper input validation - CVE-2020-16216, and

• Exposure of resource to wrong sphere - CVE-2020-16212

NCCIC-ICS reports that a relatively low-skilled attacker with either physical access to surveillance stations and patient monitors or access to the medical device network could exploit the vulnerabilities to allow unauthorized access, interrupted monitoring, and collection of access information and/or patient data.

3 Advisories Published – 8-25-20

Today the CISA NCCIC-ICS published three control system security advisories for products from WECON, Emerson, and Advantech.

WECON Advisory

This advisory describes a stack-based buffer overflow vulnerability in the WECON LeviStudioU. The vulnerabilities (see note below) were reported by Natnael Samson via the Zero Day Initiative. WECONis working on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

NOTE: As I noted last Saturday, Samson reported 22 separate (ZDI-20-1055 thru ZDI-20-1076) stack-based buffer overflow vulnerabilities in this product. NCCIC-ICS lumped the ‘multiple buffer overflow vulnerabilities’ into a single CVE CVE-2019-16243. Samson’s ZDI reports provide the name of each of the affected modules of the program. The ZDI advisories also note that in order to exploit the vulnerabilities an authenticated user must “visit a malicious page or open a malicious file”, presumably this would require a social engineering attack.

Emerson Advisory

This advisory describes an inadequate encryption strength vulnerability in the Emerson OpenEnterprise SCADA Software. The vulnerability was reported by Roman Lozko of Kaspersky. Emerson has a new service pack that mitigates the vulnerability. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker access to credentials held by OpenEnterprise used for accessing field devices and external systems.

Advantech Advisory

This advisory describes a path traversal vulnerability in the Advantech iView device management application. The vulnerability was reported by KPC via ZDI. Advantech has a new version that mitigates the vulnerability. There is no indication that KPC has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application.

Public ICS Disclosures – Week of 8-15-20

This week we have three vendor disclosures for products from Phoenix Contact, Moxa, and Eaton and one update from Rockwell. There are researcher reports for products from WECON. There were two control system exploits published for products from PNPSCADA and Geutebruck.

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing a synchronous access of remote resource without timeout vulnerability in their Emalytics, ILC 2050 BI and ILC 2050 BI-L products. This is a third-party vulnerability in the Tridium Niagara product that was reported earlier this month by NCCIC-ICS. Phoenix Contact reports that they expect to fix this vulnerability in the next firmware update in October 2020.

Moxa Advisory

Moxa published an advisory describing six vulnerabilities in their NPort IAW5000A-I/O Series Serial Device Servers. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation,

• Improper privilege management,

• Weak password requirements,

• Cleartext transmission of sensitive information,

• Improper restriction of excessive authentication attempts, and

• Information exposure

Eaton Advisory

Eaton published an advisory describing two vulnerabilities in their Secure Connect Android Mobile app. The vulnerability was reported by Vishal Bharad. Eaton has a new version that mitigates the vulnerabilities. There is no indication that Bharad has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Information exposure, and

• Information exposure through log files

Rockwell Update

Rockwell published an update for an advisory that was originally published on July 8^th, 2020 and most recently updated on July 23^rd, 2020. The new information includes links to additional detections.

WECON Reports

The Zero Day Initiative has published (ZDI-20-1055 thru ZDI-20-1076) 22 reports of 0-day vulnerabilities in the WECON LeviStudioU. The vulnerabilities have been reported to ‘ICS-CERT’ (presumably CISA NCCIC-ICS) which reportedly received no response from WECON. The vulnerabilities were reported by Natnael Samson. The vulnerabilities are all stack-based buffer overflows in various components of the LeviStudioU product. NO CVEs have been reported.

PNPSCADA Exploit

İsmail ERKEK published an exploit for an SQL injection vulnerability in the PNPSCADA. There is no CVE for this vulnerability and there is no indication that ERKEK has contacted the vendor, so this looks like it is a 0-day vulnerability.

Geutebruck Exploit

Davy Douhine published a Metasploit module for an authenticated arbitrary command execution vulnerability in Geutebruck G-Cam and G-Code cameras. This vulnerability was previously reported by NCCIC-ICS.

2 Advisories and 1 Update Published – 7-9-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Rockwell Automation and Phoenix Contact. They also updated an advisory for products from Rockwell.

Rockwell Advisory

This advisory describes an improper restriction of XML external entity reference vulnerability in the Rockwell Logix Designer Studio 5000. The vulnerability was reported by the Incite Team during PWN2OWN competition during the S4x20 Security Conference. Rockwell provides generic mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an unauthenticated attacker to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.

NOTE: NCCIC-ICS does not provide the link to the Rockwell advisory.

Phoenix Contact Advisory

This advisory describes two vulnerabilities in the Phoenix Contact Automation Worx Software Suite. The vulnerabilities were reported by Natnael Samson and mdm via the Zero Day Initiative. Phoenix Contact provides generic mitigation measures pending development of a new version.

The two reported vulnerabilities were:

• Stack-based buffer overflow - CVE-2020-12497, and

• Out-of-bounds read -  CVE-2020-12498

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code under the privileges of the application.

NOTE #1 – NCCIC-ICS does not provide the link to the Phoenix Contact advisory.

NOTE #2 – I briefly described these vulnerabilities last Saturday.

Rockwell Update

This update provides additional information on an advisory that was originally published on June 11^th, 2020. The new information includes the removal of RSLinx Classic from the list of affected products.

Public ICS Disclosures – Week of 6-27-20

This week we have one new Ripple20 advisory and two updates from vendors. There two additional vendor advisories from Mitsubishi and Phoenix Contact and two researcher disclosures for products from Delta Industrial Automation and Rockwell.

Ripple20 Advisories

Moxa has published an advisory for the Ripple20 vulnerabilities reporting that none of their products are affected.

HMS has published an update for their Ripple20 advisory that was originally published on June 23, 2020. The new information is the addition of Ewon Netbiter 300-series to the list of unaffected products.

Schneider has published an update for their Ripple20 advisory that was originally published on June 23, 2020. The new information includes:

• Revised affected product data for Enhanced Andover Continuum, and

• Added Acti9 Smartlink EL B to the affected product list.

Mitsubishi Advisory

Mitsubishi published an advisory describing six vulnerabilities in the TCP/IP stack for their GOT2000 Series HMI. Mitsubishi reports that these vulnerabilities are in the third-party CoreOS. These vulnerabilities are self-reported.  Mitsubishi has updates that mitigate the vulenrabilities.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5595,

• Session fixation - CVE-2020-5596,

• Null pointer dereference - CVE-2020-5597,

• Improper access control - CVE-2020-5598,

• Argument injection - CVE-2020-5599, and

• Resource management errors - CVE-2020-5600

NOTE: I wonder what other control system products are using the affected CoreOS?

Phoenix Contact Advisory

Phoenix Contact has published an advisory describing two vulnerabilities in their Automation Worx Software Suite. The vulnerabilities were reported by Natnael Samson and mdm via the Zero Day Initiative. Phoenix Contact provides generic mitigation measures pending a new version of the affected products.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-12497, and

• Out-of-bounds read - CVE-2020-12498

Delta Industrial Advisories

The Zero Day Initiative published 13 advisories (ZDI-20-787 thru ZDI-20-799) for two different types of vulnerabilities in the Delta Industrial DOPsoft HMI design software. The vulnerabilities were reported by Natnael Samson. These were coordinated disclosures (via NCCIC-ICS) with an expected fix from Delta Industrial in September. ZDI is reporting these as 0-day vulnerabilities.

The two vulnerability types are:

• Out-of-bounds read, and

• Heap-based buffer overflow

Rockwell Report

Applied Risk published a report describing two vulnerabilities in the Rockwell FactoryTalk Services Platform. Rockwell published their advisory on these vulnerabilities on June 25^th, 2020.

2 Advisories and 2 Updates Published – 6-30-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Delta Industrial. They also updated two advisories for products from Treck and Inductive Automation.

Mitsubishi Advisory

This advisory describes two vulnerabilities in the Mitsubishi Factory Automation Engineering Software Products. The vulnerabilities are self-reported. Mitsubishi has new versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper restriction of XML external entity reference - CVE-2020-5602, and

• Uncontrolled resource consumption - CVE-2020-5603

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a local attacker to send files outside of the system as well as cause a denial-of-service condition.

NOTE: NCCIC-ICS did not provide a link to the Mitsubishi advisory.

Delta Advisory

This advisory describes two vulnerabilities in the Delta Industrial Automation DOPSoft HMI editing software. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Delta expects to have a new version to mitigate these vulnerabilities available next month (July).

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-10597, and

• Heap-based buffer overflow - CVE-2020-14482

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

Treck Update

This update provides new information on an advisory that was originally published on June 16^th, 2020 and most recently updated on June 18^th, 2020. The new information includes the addition of links to two new affected vendors’ advisories:

• CareStream and

• Eaton

NOTE: I briefly mentioned the Eaton advisory last Saturday.

Inductive Update

This update provides new information on an advisory that was originally published on May 26^th, 2020 and most recently updated on June 2^nd, 2020. The new information includes:

• The addition of a new vulnerability – missing authentication for critical function - CVE-2020-14479, and

• A note that it will be corrected in an expected future version update.

NOTE: There is no mention of the two updates listed above on either the CISA Industrial Control Systems landing page or the associated Recently Published page. Fortunately ICS-CERT (ics-cert@ncas.us-cert.gov) sent out email notifications and TWEETS® on the two updates.

1 Advisory Published – 5-7-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Advantech.

Advantech Advisory

This advisory describes eight vulnerabilities in the Advantech WebAccess Node. The vulnerabilities were reported by Natnael Samson and Z0mb1E via the Zero Day Initiative. Advantech has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eight reported vulnerabilities:

• Improper validation of array index - CVE-2020-12022,

• Relative path traversal - CVE-2020-12010, CVE-2020-12006,

• SQL injection - CVE-2020-12014,

• Stack-based buffer overflow - CVE-2020-12002,

• Heap-based buffer overflow - CVE-2020-10638, and

• Out-of-bounds read - CVE-2020-12018

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, remote code execution, and compromise system availability.

1 Advisory Published – 4-28-20

Today the CISA NCCIC-ICS published a control system security advisory for products from LCDS.

LCDS Advisory

This advisory describes two vulnerabilities in the LCDS LAquis SCADA. The vulnerabilities were reported by Natnael Samson via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerabilities. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Exposure of sensitive data to an unauthorized actor - CVE-2020-10618; and

• Improper input validation - CVE-2020-10622.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow unauthorized attackers to view sensitive information and create files in arbitrary locations.

9 Advisories and 5 Updates – 4-14-20

Yesterday the CISA NCCIC-ICS published nine control system security advisories for products from Siemens (6), Triangle MicroWorks (2) and Eaton. They also published updates for five advisories for products from Siemens.

TIM Advisory

This advisory describes an active debug code vulnerability in the Siemens TIM communication modules. This vulnerability was self-reported. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker with network access to gain full control over the device.

KTK Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens KTK, SIDOOR, SIMATIC, and SINAMICS products. This vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, Interniche OS, SegmentSmack vulnerability.

SCALANCE Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SCALANCE and SIMATIC products. This vulnerability is self-reported. Siemens provided generic work arounds while they continue to work on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, VX Works OS, SegmentSmack vulnerability.

SIMOTICS Advisory

This advisory describes a business logic error vulnerability in the Siemens SIMOTICS, Desigo, APOGEE, and TALON products. The vulnerability was self-reported. Siemens provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit this vulnerability to allow an attacker to affect the availability and integrity of the device.

Industrial Devices Advisory

This advisory describes two vulnerabilities in the Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC and SINEMA products. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2018-5390; and

• Improper input validation - CVE-2018-5391

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  to affect the availability of the devices under certain conditions.

NOTE: This is the third-party, Linux OS, SegmentSmack vulnerability.

Climatix Advisory

This advisory describes two vulnerabilities in the Siemens Climatix product line. The vulnerability was reported by Ezequiel Fernandez from Dreamlab Technologies. Siemens has provided generic workarounds.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7574; and

• Basic XSS - CVE-2020-7575

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute arbitrary code to access confidential information without authentication.

TMW SCADA Advisory

This advisory describes three vulnerabilities in the Triangle Microworks (TMW) SCADA Data Gateway. The vulnerabilities were reported by Incite Team of Steven Seeley and Chris Anastasio, and Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi via the Zero Day Initiative. TMW has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10615;

• Out-of-bounds read - CVE-2020-10613; and

• Type confusion - CVE-2020-10611

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code and disclose on affected installations of Triangle Microworks SCADA Data Gateway with DNP3 Outstation channels. Authentication is not required to exploit these vulnerabilities.

TMW DNP3 Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Triangle Microworks DNP3 Outstation Libraries. The vulnerability was reported by Incite Team of Steven Seeley and Chris Anastasio via ZDI. TMW has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to stop the execution of code on affected equipment.

Eaton Advisory

This advisory describes two vulnerabilities in the Eaton HMiSoft VU3. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via ZDI. The HMiSoft VU3 has reached end-of-life and is no longer supported by Eaton.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10639; and

• Out-of-bounds read - CVE-2020-10637

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to crash the device being accessed and may allow remote code execution or information disclosure.

Industrial Products Update

This update provides additional information for an advisory that was originally published on September 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for ROX II.

PROFINET Update

This update provides additional information for an advisory that was originally published on October 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET200MP IM155-5 PN HF.

TIA Portal Update

This update provides additional information for an advisory that was originally published on January 14^th, 2020. The new information includes updated version information and mitigation links for TIA Portal V16.

SIMATIC PCS 7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC WinCC (TIA Portal) V16.

SIMATIC S7 Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes adding SIMATIC WinAC RTX to the list of affected products.

Other Siemens Updates

Siemens also updated five other advisories yesterday. I expect that NCCIC-ICS will address at least two of these, probably later this week.

Public ICS Disclosures -Week of 4-4-20

This week we have three vendor disclosures for products from B&R Automation, Moxa and Rockwell Automation. There are also two sets of researcher reports for products from Advantech and Universal Robots.

B&R Advisory

B&R published an advisory describing three vulnerabilities in their Automation Studio. The vulnerabilities were reported by Yehuda Anikster and Amir Preminger from Claroty. B&R has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Privilege escalation – CVE-2019-19100;

• Incomplete communication encryption and validation CVE-2019-19101;

• Zip Slip vulnerability (third-party vulnerability) CVE-2019-19102

Moxa Advisory

Moxa published an advisory on the kr00k vulnerability in their products. They report that none of their products are affected.

NOTE: Negative reports about 3^rd party vulnerabilities are just as important as reporting an active vulnerability in a product.

Rockwell Advisory

Rockwell published an advisory describing a file permission vulnerability in their Current Program Updater software. The vulnerability was reported by Reid Wightman from Dragos. Rockwell has new versions that mitigate the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

NOTE: Rockwell is reporting a 2017 CVE (CVE-2017-5176) for this vulnerability. That vulnerability was reported by ICS-CERT on March 21^st, 2017. If NCCIC-ICS were to pick up this advisory it would probably be as an update to that earlier advisory.

Advantech Reports

The Zero Day Initiative published five related reports (here, here, here, here, and here) for 0-day arbitrary file deletion vulnerabilities in the Advantech WebAccess program. The vulnerabilities were reported by Natnael Samson. ZDI reports that it has reported all five vulnerabilities to Advantech and ICS-CERT (their naming not mine) noting: “The vendor communicated that they will rely on existing measures and will add no amendments to the code.”

Universal Robots Reports

Aliasrobotics published four reports of vulnerabilities for products from Universal Robots. The vulnerabilities were reported by rvd-bot, bedieber and bbreilin. Aliasrobotics reportedly contacted Universal Robots about these vulnerabilities but has received no replies.

The four reported vulnerabilities are (links are to github pages which include proof-of-concept exploit code):

• Missing encryption of sensitive data - CVE-2020-10267;

• Missing authentication for critical function - CVE-2020-10265;

• Insufficient verification of data authenticity - CVE-2020-10266; and

• Exposure of sensitive information to unauthorized actor - CVE-2020-10264

1 Advisory Published – 3-17-20

Today the CISA NCCIC-ICS published one control system security advisory for products from Delta Electronics.

Delta Advisory

The advisory describes two vulnerabilities in the Delta Industrial Automation CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson (@NattiSamson) and kimiya, working with the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-7002; and

• Out-of-bounds read - CVE-2020-6976

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application. According to the ZDI advisories (here, here and here) the vulnerabilities are remotely exploitable.

Commentary

The two different ZDI advisories for the buffer overflow vulnerability show slightly different descriptions of the vulnerability. Both describe parsing problems in DBP files. The kimiya advisory appears to be slightly more generic where the Samson advisory specifies that the problem lies in parsing the GifName information in DPB files. There is a possibility that there are two separate vulnerabilities here. This is where it would be helpful to have the researchers verify the efficacy of the fix. We could have a situation here where the more specific vulnerability was fixed, but the more generic problem remains.

4 Advisories Published – 08-15-19

Yesterday the DHS NCCIC-ICS published four control system security advisories for products from Siemens (2), Fuji Electric, and Johnson Controls.

SINAMICS Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the web server of the Siemens SINAMICS control units. The vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to perform a denial-of-service attack.

SCALANCE Advisory

This advisory describes two instances of an improper adherence to coding standards vulnerability in the Siemens SCALANCE products. The vulnerability is self-reported. Siemens has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  lead to a denial of service or could allow an authenticated local user with physical access to the device to execute arbitrary commands on the device.

NOTE: There are still two advisories and an update that were published by Siemens earlier this week that have not been addressed by NCCIC-ICS. I will report further on them tomorrow.

Fuji Advisory

This advisory describes a stack-based buffer overflow in the Fuji Alpha5 Smart Loader servo  drive. The vulnerability was reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

Johnson Controls Advisory

This advisory describes two vulnerabilities in the Johnson Controls Metasys building automation system. The vulnerability was reported by harpocrates.ghost. Johnson Controls has a new version that mitigates the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Reusing a nonce, key-pair in an encryption - CVE-2019-7593; and

• Use of hard-coded cryptographic key - CVE-2019-7594

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to decrypt captured network traffic.

7 Advisories Published – 07-11-19

Yesterday the DHS NCCIC-ICS published six industrial control system advisories for products from Schneider Electric (2), AVEVA, Siemens (3) and Delta Industrial. They also published a medical device security advisory for products from Philips.

Interactive Graphical SCADA Advisory

This advisory describes an out-of-bounds write vulnerability in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerability was reported by mdm and rgod of 9SG Security Team via the Zero Day Initiative. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to  allow an attacker to achieve arbitrary code execution or crash the software.

Floating License Manager Advisory

This advisory describes four vulnerabilities in the Schneider Floating License Manager. The vulnerabilities are self-reported. According to the Schneider advisory, the vulnerabilities are in a third-party component (Flexera FlexNet Publisher) of their product. Schneider has a patch available that mitigates the vulnerability.

The four reported vulnerabilities are:

• Improper input validation (3) - CVE-2018-20031, CVE-2018-20032, and CVE-2018-20034; and

• Memory corruption - CVE-2018-20033

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to deny the acquisition of a valid license for legal use of the product.

NOTE: There are still three other advisories published by Schneider on Tuesday that have not been reported by NCCIC-ICS; all for Modicon controllers. I will address these on Saturday.;

AVEVA Advisory

This advisory describes the same four vulnerabilities reported above, this time in the AVEVA Vijeo Citect and Citect SCADA Floating License Manager. These vulnerabilities have not yet been reported by AVEVA. A new version is available from Schneider to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to deny the acquisition of a valid license for legal use of the product.

SIMATIC Advisory

This advisory describes three vulnerabilities in the Siemens SIMATIC RF6XXR. The vulnerabilities are in older, third-party SSL and TLS applications still in use by these products. The vulnerabilities were reported by Wendy Parrington from United Utilities. Siemens reports that newer versions mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Improper input validation - CVE-2011-3389; and

• Cryptographic issues (2) - CVE-2016-6329 and CVE-2013-0169

NCCIC-ICS reports that an uncharacterized attacker could use publicly available exploits (two of these are older, well recognized vulnerabilities) to remotely exploit the vulnerabilities to allow access to sensitive information.

TIA Portal Advisory

This advisory describes an improper access control vulnerability in the Siemens TIA Administrator (TIA Portal). The vulnerability was reported (with proof of concept code) by Joseph Bingham of Tenable. Siemens has an update that mitigates the vulnerability. There is no indication that Bingham has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an execution of some commands without proper authentication.

SIMATIC WinCC Advisory

This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Siemens SIMATIC WinCC and SIMATIC PCS7 devices. The vulnerability was reported by Xuchen Zhu from ZheJiang Guoli Security Technology. Siemens has updates available that mitigates the vulnerability. There is no indication that Xuchen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the affected service or device. The Siemens advisory notes that the attacker has to be authenticated with a valid user account.

NOTE: There is still one new advisory that Siemens published on Tuesday that has not been reported by NCCIC-ICS. I will cover it tomorrow.

Delta Industrial Advisory

This advisory describes two vulnerabilities in the Delta Electronics CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has a new version that mitigates the vulnerabilities. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2019-10982; and

• Out-of-bounds read - CVE-2019-10992

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

Philips Advisory

This advisory describes a use of obsolete function vulnerability in the Philips Holter 2010 Plus, a 12-lead EKG analysis software program. The vulnerability is self-reported. Philips provides generic measures to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to lead to a product feature escalation.

6 Advisories Published – 06-27-19

Yesterday the DHS NCCIC-ICS published five control system security advisories for products from Advantech, SICK AG, and ABB (3). They also published a medical device security advisory for products from Medtronic.

Advantech Advisory

This advisory describes six vulnerabilities in the Advantech WebAccess/SCADA software platform. The vulnerabilities were reported by Mat Powell, Natnael Samson (@NattiSamson) and EljahLG via the Zero Day Initiative. Advantech has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Path traversal - CVE-2019-10985;

• Stack-based buffer overflow - CVE-2019-10991;

• Heap-based buffer overflow - CVE-2019-10989;

• Out-of-bounds read - CVE-2019-10983;

• Out-of-bounds write - CVE-2019-10987; and

• Untrusted pointer dereference - CVE-2019-10993

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, deletion of files, and remote code execution.

SICK Advisory

This advisory describes a use of hard-coded credentials vulnerability in the SICK MSC800 PLC. The vulnerability was reported by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group. SICK has new firmware that mitigates the vulnerability. There is no indication that Quach has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a low-skilled remote attacker to reconfigure settings and/or disrupt the functionality of the device.

CP 635 Advisory

This advisory describes a use of hard-coded credentials vulnerability in the ABB CP620 and CP635 HMI products. The vulnerability is self-reported. ABB has an update available that mitigates the vulnerability.

The ABB advisory describes two other vulnerabilities with these products and reports that the vulnerabilities were reported by Xen1thLabs. The individual vulnerability reports from Xen1thLabs (see links below) include proof of concept exploits.

The three reported vulnerabilities are:

• Out-dated software components – multiple OpenSSL CVE;

• Hard-coded credentials - CVE-2019-7225; and

• Absence of signature verification - CVE-2019-7229

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the (single reported?) vulnerability to allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

CP 651 Advisory

This advisory describes a use of hard-coded credentials vulnerability in the ABB CP651, CP665 and CP676 HMI products. The vulnerability is self-reported. ABB has an update available that mitigates the vulnerability.

The ABB advisory describes the same two other vulnerabilities with these products and reports that the vulnerabilities were discovered based upon the work of Xen1thLabs on the CP 635 vulnerabilities reported above.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the (single reported?) vulnerability to allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

Panel Builder Advisory

This advisory describes seven vulnerabilities in the ABB PB610 Panel Builder 600 engineering tool. The vulnerability was reported by Xen1thLabs. ABB has new versions available that mitigate the vulnerabilities. There is no indication that Xen1thLabs has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities (with links to the Xen1thLabs reports; reports which contain proof of concept exploit code) are:

• Use of hard-coded credentials - CVE-2019-7225;

• Improper authentication - CVE-2019-7226;

• Relative path traversal - CVE-2019-7227;

• Improper input validation (2) - CVE-2019-7228 and CVE-2019-7230; and

• Stack-based buffer overflow - CVE-2019-7231

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

Medtronic Advisory

This advisory describes an improper access control vulnerability in the Medtronic MiniMed 508 and Paradigm Series Insulin Pumps. The vulnerability is self-reported, but NCCIC-ICS notes that the internal investigation by Medtronic was guided by previous work from outside researchers on other Medtronic products. Medtronic suggests upgrading to a newer product. The FDA advisory on this product notes that Medtronic is recalling the affected insulin pumps.

NCCIC-ICS reports that an uncharacterized attacker with adjacent access (radio frequency access according to the Medtronic advisory) could exploit this vulnerability to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.

Three Advisories Published – 04-16-19

Yesterday the DHS NCCIC-ICS published two control system security advisories for products from WAGO and Delta Industrial Automation, and one for PLC products from multiple vendors.

PLC Advisory

This advisory describes an uncontrolled resource consumption vulnerability in specific PLC products from ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO. The vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin), and Florian Fischer (Hochschule Augsburg). The responses range from a firmware update from Schneider, to ‘its not really a vulnerability but here are generic workarounds’, to ‘its not a vulnerability’ from Siemens. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fixes.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to emotely influence configured cycle times.

NOTE: The Schneider advisory referenced in this advisory was released in February and listed a 2018 CVE number for the reported vulnerability. Neither CVE number is currently available.

WAGO Advisory

This advisory describes a hard-coded credential vulnerability in the WAGO Series 750-88x and 750-87x PLCs. The vulnerability was reported by Jörn Schneeweisz of Recurity Labs. WAGO has new firmware that mitigates the vulnerability. There is no indication that Schneeweisz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to change the settings or alter the programming of the device.

NOTE: I briefly mentioned this vulnerability last Saturday.

Delta Advisory

This advisory describes three vulnerabilities in the Delta Industrial Automation CNCSoft screen editor software. The vulnerabilities were reported by Natnael Samson and an anonymous researcher via the Zero Day Initiative. Delta has an updated version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-10947;

• Heap-based buffer overflow - CVE-2019-10951; and

• Out-of-bounds read - CVE-2019-10949

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

Four advisories Published – 02-19-19

Today the DHS NCCIC published four control system security advisories for products from Rockwell Automation, Horner Automation, Delta Industrial and Intel.

Rockwell Advisory

This advisory describes two vulnerabilities in the Rockwell Allen-Bradley PowerMonitor 1000. This vulnerability was reported by Luca Chiou of ACSI. Rockwell is working on mitigation measures. CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass using alternate path or channel - CVE-2019-19616

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploits (here and here) to remotely exploit these vulnerabilities to allow a remote attacker to affect the confidentiality, integrity, and availability of the device.

NOTE: I discussed these vulnerabilities last Saturday.

Horner Advisory

This advisory describes an improper input validation vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by ‘anonymous’ via the Zero Day Initiative (ZDI). Horner has a new version that mitigates the vulnerability. There is no indication that anonymous has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.

Delta Advisory

This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation CNCSoft. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow condition that may allow information disclosure or crash the application.

Intel Advisory

This advisory describes eleven vulnerabilities in the Intel Data Center Manager SDK. The vulnerability was reported by Intel’s Product Security Incident Response Team. Intel has a new version that mitigates the vulnerability.

The eleven reported vulnerabilities are:

• Improper authentication - CVE-2019-0102;

• Protection mechanism failure (4) - CVE-2019-0103, CVE-2019-0104, CVE-2019-0106, and CVE-2019-0107,

• Permission issues (4) - CVE-2019-0105, CVE-2019-0108, CVE-2019-0109, and CVE-2019-0111;

• Key management issues - CVE-2019-0110;

• Insufficient control flow management - CVE-2019-0112

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow escalation of privilege, denial of service, or information disclosure.

5 Advisories and 6 Updates Published – 02-05-19

Yesterday the DHS NCCIC-ICS published five control system advisories for products from Kunbus, Siemens, WECON, Rockwell and AVEVA. They also updated five previously published advisories for products from Siemens and updated a medical device security advisory for products from BD.

Kunbus Advisory 

This advisory describes three vulnerabilities in the Kunbus PR100088 Modbus gateway. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus has a new version that mitigates the vulnerability. There is no indication that Merle has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2019-6527;

• Missing authentication for critical function - CVE-2019-6533; and

• Improper input validation - CVE-2019-6529

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to achieve remote code execution and/or cause a denial-of-service condition.

Siemens Advisory 

This advisory describes two improper input validation vulnerabilities in the Siemens SIMATIC S7-1500 CPU. The vulnerabilities were reported by Georgy Zaytsev, Dmitry Sklyarov, Druzhinin Evgeny, Ilya Karpov, and Maxim Goryachy of Positive Technologies. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a denial of service condition of the device.

WECON Advisory 

This advisory describes three vulnerabilities in the WECON LeviStudioU product. The vulnerabilities were reported by Mat Powell, Ziad Badawi, and Natnael Samson via the Zero Day Initiative. WECON has an updated version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2019-6539;

• Stack-based buffer overflow - CVE-2019-6537; and

• Memory corruption - CVE-2019-6541

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow attackers to execute arbitrary code.

Rockwell Advisory 

This advisory describes an improper input validation vulnerability in the Rockwell EtherNet/IP Web Server Modules. The vulnerability was reported by Tenable. Rockwell has provided generic mitigations for the vulnerability. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote attacker to deny communication with Simple Network Management Protocol (SNMP) service.

AVEVA Advisory

This advisory describes two vulnerabilities in the AVEVA InduSoft Web Studio and InTouch Edge HMI products. The vulnerabilities were reported by Tenable. AVEVA has a new version that mitigates the vulnerability. AVEVA reports that Tenable has verified the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2019-6543; and

• Resource injection - CVE-2019-6545

NCCIC-ICS reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.

SIMATIC PCS7 Update 

This update provides additional information on an advisory that was originally published on March 29^th, 2018 and updated on April 24^th, 2018, June 12^th, 2018, November 14^th, 2018 and again on December 13^th, 2018. This update provides corrected version numbers and patch links for WinCC 7.2 and 7.4.

NOTE: I briefly discussed this update on January 12^th.

SIMATIC Update

This update provides additional information on an advisory that was originally published on March 20^th, 2018 and updated on October 9^th, 2018. This update provides corrected version numbers and patch links for SIMATIC S7-300 incl. F and T.

NOTE: I briefly discussed this update on January 12^th.

Industrial Products Update

This update provides additional information on an advisory that was that This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 May 15^th, 2018, September 11^th, 2018, October 9^th, 2018, November 13^th, 2018 and most recently on December 11^th, 2018. This update provides a link to an updated solution for SIMATIC S7-300.

NOTE: I briefly discussed this update on January 12^th.

Discovery Service Update 

This update provides additional information on an advisory that was originally published on 8-31-17 and updated on October 3^rd, 2017 and again on November 30^th, 2017. This update provides updated version information and provides a link to the fix for SIMATIC NET PC Software.

NOTE: I briefly discussed this update on January 12^th.

PROFINET Update

This update provides additional information on an advisory that was was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th,  November 28^th, 2017, January 18^th, 2018, January 25^th, 2018, January 27^th, 2018, March 6^th, 2018, May 3^rd, 2018, November 13^th, 2018 and most recently on December 11^th, 2018. This update provides corrected information for CP 1243-1.

NOTE: I briefly discussed this update on January 12^th.

BD Update

This update provides additional information on an advisory that was originally published on January 29^th, 2019. In the vulnerability overview section of the advisory this update changes the words “The application…” to “The system…”.

Commentary

On January 12^th, 2019 I reported on the five advisories and seven updates published by Siemens on December 8^th. To date NCCIC-ICS has only reported on one of the advisories and six of the updates. I do not expect to see an update on the final Siemens update as it is for the generic GNU/Linux vulnerabilities that is covered by an NCCIC-ICS alert. I am beginning to suspect that NCCIC-ICS will not be reporting on the remaining Siemens advisories. This may be because the vulnerability reports were not coordinated through NCCIC-ICS. Or it may be that NCCIC-ICS was understaffed during the recent Federal Funding Fiasco and has not yet had time to catch up with all of the vulnerability reporting that occurred during that time.

As I gradually expand the list of web sites that I scan weekly for my ‘Public ICS Disclosures’ blog post, it is becoming rather obvious that NCCIC-ICS is not a central clearing house for ICS vulnerability disclosures. That means that there is no central agency that is tracking (and more importantly reporting on) vulnerabilities in the ICS sphere. With the major ICS vendors this is probably not a major issue since they have relatively robust reporting systems of their own. But for the second and third tier of vendors, this is going to become a serious problem.

If/when Congress ever gets around to looking at the subject on control system security, one of the issues that they are going to have to look at (and hopefully rationally deal with) is the issue of vulnerability coordination and disclosure. When/if they do that, I would hope that they would consider codifying and expanding the role of NCCIC-ICS in that process. And, I believe, that part of that expansion should be establishing NCCIC-ICS as the public clearing house for vulnerability disclosure in the control system arena.