3 Advisories Published – 03-26-19

Today the DHS NCCIC-ICS published three control system security advisories for products from ENTTEC, Phoenix Contact and Siemens.

ENTTEC Advisory

This advisory describes a missing authentication for critical function vulnerability in the ENTTEC Datagate MK2, Storm 24, Pixelator industrial lighting control products. The vulnerability was reported by Ankit Anubhav of NewSky Security. ENTTEC has updated firmware that mitigate the vulnerability. There is no indication that Anubhav has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to reboot this device allowing a continual denial of service condition.

Phoenix Contact Advisory

This advisory describes a command injection vulnerability in the Phoenix Contact RAD-80211-XD radio modules. The vulnerability was reported by Maxim Rupp. The affected products are no longer supported.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow an attacker to execute system level commands with administrative privileges.

Siemens Advisory

This advisory describes an expected behavior violation vulnerability in the Siemens SCALANCE X switches. The vulnerability is being self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to feed data over a mirror port and into the mirrored network.

NOTE: I briefly reported on this vulnerability earlier this month.

Two Advisories and Three Updates Published – 02-14-19

Today the DHS NCCIC-ICS published two control system security advisories for products from gpsd Open Source Project and Pangea. They also updated three previously published advisories for products from Fuji and Siemens (2). The gpsd advisory was originally published on the HSIN ICS-CERT library on November 6, 2018.

gpsd Advisory

This advisory describes a stack-based buffer overflow vulnerability in the gpsd, an open-source GPS framework. The vulnerability was reported by GE Digital Cyber Security Services, working with GE-PSIRT. A new version is available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow remote code execution, data exfiltration, or denial-of service via device crash.

Note: This advisory is a ‘third-party vendor’ vulnerability report. NCCIC-ICS reports that gpsd can be found in many mobile embedded systems such as Android phones, drones, robot submarines, driverless cars, manned aircraft, marine navigation systems, and military vehicles.

Pangea Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pangea Internet FAX Analog Telephone Adapter (ATA). The vulnerability was reported by Ankit Anubhav of NewSky Security. Pangea has a patch deployed that mitigates the vulnerability. There is no indication that Anubhav has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to cause the device to reboot and create a continual denial-of-service condition.

Fuji Update

This update provides additional information on an advisory that was originally published on September 27^th, 2018. The update announces the availability of a new firmware version that mitigates the vulnerabilities.

Licensing Software Update

This update provides additional information on an advisory that was originally published on February 12^th, 2019. The update makes a number of editorial corrections in the data presentation on the vulnerabilities reported. I missed identifying these inconsistencies as I reported on the vulnerabilities based upon the Talos reports. The update still does not mention that there are publicly available exploits for these vulnerabilities from those reports.

PROFINET Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, 2017, November 14^th, 2017, January 23^rd, 2018, February 27^th, 2018, and most recently on June 21^st, 2018. The update provides updated affected version information and mitigation links for SINAUT ST7CC.

ICS-CERT Publishes 5 Advisories

Today the DHS ICS-CERT published five control system security advisories for products from AVEVA (2), WECON, Johnson Controls and Davolink.

Wonderware Advisory

This advisory describes an improper restriction in operations within the bounds of a memory buffer vulnerability in the AVEVA Wonderware License Server; the vulnerability is in the 3^rd party  Flexera FlexNet Publisher software. The vulnerability was reported to AVEVA by an anonymous researcher. AVEVA has an update that mitigates the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to effect remote code execution with administrative privileges.

NOTE: This vulnerability was also reported in the Rockwell Factory Talk Activation Manager earlier this year. There is an interesting blog post from 2016 about this vulnerability over at Security Mumblings.

InTouch Advisory

This advisory describes a cross-site scripting vulnerability in the AVEVA InTouch Access Anywhere product. The vulnerability was reported by Google’s Security Team. AVEVA has an update that mitigates the vulnerability. The AVEVA security advisory indicates that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to obtain sensitive information and/or execute Javascript or HTML code.

WECON Advisory

This advisory describes two buffer overflow vulnerabilities in the WECON LeviStudioU. The vulnerabilities were reported by NSFOCUS security team, Ghirmay Desta and Mat Powell via the Zero Day Initiative.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-10602; and

• Heap-based buffer overflow - CVE-2018-10606

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute remote code.

NOTE: Reading between the lines of the advisory, it looks like ICS-CERT did not get much cooperation from WECON on these vulnerabilities.

Johnson Controls Advisory

This advisory describes an information exposure through an error message vulnerability in the Johnson Controls Metasys and BCPro products. The vulnerability was reported by Dan Regalado of Zingbox. Newer versions mitigate the vulnerability. There is no indication that Regalado was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to obtain technical information about the Metasys or BCPro server, allowing an attacker to target a system for attack.

Davolink Advisory

This advisory describes a use of password hash with insufficient computational effort vulnerability in the Davolink DVW-3200N network switch. The vulnerability was reported by Ankit Anubhav of NewSky Security. There is new firmware for the device that mitigates the vulnerability. There is no indication that Anubhav was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to obtain the password to the device.