Showing posts with label Nozomi. Show all posts
Showing posts with label Nozomi. Show all posts

Sunday, August 13, 2023

Review – Public ICS Disclosures – Week of 8-5-23 – Part 2

For Part 2 we have a vendor disclosure for products from Schneider. There are also 17 vendor updates from B&R, FortiGuard, Schneider (3) and Siemens (12). Finally, we have 20 researcher reports for products from Advantech, BlueMark, NVIDIA, Softing (11), and Inductive Automation (6).

Advisories

Schneider Advisory - Schneider published an advisory that describes an improper restriction of operations within the bounds of a memory buffer in their Pro-face GP-Pro EX product.

Updates

B&R Update - B&R published an update for their SLP based traffic advisory that was originally published on May 31st, 2023.

FortiGuard Update - FortiGuard published an update for their FortiOS buffer overflow advisory that was originally published on July 28th, 2023.

Schneider Update #1 - Schneider published an update for their EcoStruxure Control Expert advisory that was originally published on January 10th, 2023, and most recently updated on March 14th, 2023.

Schneider Update #2 - Schneider published an update for their EcoStruxure Control Expert advisory that  was originally published on January 10th, 2023, and most recently updated on July 11th, 2023.

Schneider Update #3 - Schneider published an update for their CODESYS Runtime advisory that was originally published on July 11th, 2023.

Siemens Update #1 - Siemens published an update for their Multiple File Parsing advisory that was originally published on May 9th, 2023.

Siemens Update #2 - Siemens published an update for their Authentication Bypass advisory that was originally published on March 14th, 2023 and most recently updated on June 13th, 2023.

Siemens Update #3 - Siemens published an update for their Linux Kernel advisory that was originally published on June 13th, 2023 and most recently updated on July 11th, 2023.

Siemens Update #4 - Siemens published an update for their File Parsing Vulnerabilities advisory that was originally published on July 11th, 2023.

Siemens Update #5 - Siemens published an update for their OPC Foundation advisory that was originally published on April 11th, 2023 and most recently updated on June 13th, 2023.

Siemens Update #6 - Siemens published an update for their IPU 2022.3 Vulnerabilities advisory that was originally published on February 14th, 2023 and most recently updated on July 11th, 2023.

Siemens Update #7 - Siemens published an update for their Missing CSRF Protection advisory that was originally published on November 8th, 2022, and most recently updated on July 11th, 2023.

Siemens Update #8 - Siemens published an update for their additional GNU/Linux subsystem advisory that was originally published on November 27th, 2018 and most recently updated on July 11th, 2023.

Siemens Update #9 - Siemens published an update for their Insyde BIOS Vulnerabilities advisory that was originally published on May 22nd, 2022 and most recently updated on July 11th, 2023.

Siemens Update #10 - Siemens published an update for their SISCO Stack Vulnerability advisory that was originally published on December 13th, 2022 and most recently updated on March 14th, 2023.

Siemens Update #11 - Siemens published an update for their Privilege Management Vulnerability advisory that was originally published on December 13th, 2022. 

Researcher Reports

Advantech Report - CyberDanube published a report that describes two cross-site scripting vulnerabilities in the Advantech EKI-1524-CE series, EKI-1522 series, EKI-1521 series products.

BlueMark Reports - Nozomi Networks published three reports about individual vulnerabilities in the BlueMark DroneScout ds230 Remote ID receiver.

NVIDIA Reports - Cisco TALOS published three reports for individual vulnerabilities in the NVIDIA GPU Display Driver.

Softing Report #1 - ZDI published a report that describes a resource exhaustion vulnerability in the Softing edgeConnector product.

Softing Report #2 - ZDI published a report that describes a directory traversal vulnerability in the Softing Integration Server.

Softing Reports #3-5 - ZDI published three reports of individual vulnerabilities in the Softing edgeAggregator.

Softing Reports #6-9 - ZDI published four reports of individual vulnerabilities in the Softing Secure Integration Server.

Softing Report #10 - ZDI published a report of a NULL pointer dereference vulnerability in the Softing edgeConnector.

Softing Report #11 - ZDI published a report of a hard-coded cryptographic key vulnerability in the Softing Secure Integration Server.

Inductive Automation Reports - ZDI published six reports of vulnerabilities in the Inductive Automation Ignition product.

 

For more details on these disclosures, including a brief summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-1b8 - subscription required.

Posted by at No comments:
Labels: , , , , , , , , , , , , ,

Sunday, January 2, 2022

Review - Public ICS Disclosures – Week of 12-25-21 – Part 1

Happy New Year.

As should be expected for the week between Christmas and New Year’s, the public ICS disclosures for this week were relatively light. There will be a two-part post today, however, due to the ongoing reporting on Log4Shell.

In Part 1 this week we have seven vendor disclosures from Moxa (6) and QNAP. There is also a researcher report on products from Schneider Electric.

Moxa Advisory #1 - Moxa published an advisory describing two vulnerabilities in their TN-5900 Series Secure Routers.

Moxa Advisory #2 - Moxa published an advisory describing a memory leak vulnerability in their TN-5900 Series Secure Routers.

Moxa Advisory #3 - Moxa published an advisory describing a memory leak vulnerability in their MGate 5109 and MGate 5101-PBM-MN Series Protocol Gateways.

Moxa Advisory #4 - Moxa published an advisory describing eight vulnerabilities in their TAP-213/TAP-323 Series Wireless AP/Bridge/Client.

Moxa Advisory #5 - Moxa published an advisory describing seven vulnerabilities in their OnCell G3150A/G3470A Series and WDR-3124A Series Cellular Gateways/Router.

Moxa Advisory #6 - Moxa published an advisory describing eight vulnerabilities in their AWK-3131A/4131A/1131A/1137C Series Wireless AP/Bridge/Client.

QNAP Advisory - QNAP published an advisory describing an exposure of sensitive information vulnerability in their QTS, QuTS hero, and QuTScloud products.

Schneider Report - Nozomi Networks published a report on a cross-site scripting vulnerability in the Schneider Rack Power Distribution Unit (PDU).

For more details about these advisories and the report, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-97e - subscription required.

Posted by at No comments:
Labels: , , , ,

Saturday, November 27, 2021

Review – Public ICS Disclosures – Week of 11-20-21

This week we have ten vendor disclosures from Advantech, Hitachi, Hitachi Energy (2), Moxa (2), QNAP (2), and VMware. There is also an update from Mitsubishi. Additionally, we have two researcher reports for vulnerabilities for products from PerFact and Philips. Finally, we have an exploit for a product from ModbusTools.

Advantech Advisory - Advantech published an advisory describing five sets of vulnerabilities (each set corresponding to a separate Talos report containing multiple vulnerabilities) in their R-SeeNet application.

Hitachi Advisory - Hitachi published an advisory discussing 24 vulnerabilities in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory describing two vulnerabilities in their XMC20 product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory describing two vulnerabilities in their FOX61x product.

Moxa Advisory #1 - Moxa published an advisory describing eleven vulnerabilities in their ioLogik E2200 Series Controllers and I/Os.

Moxa Advisory #2 - Moxa published an advisory describing three vulnerabilities in their NPort IAW5000A-I/O Series Servers.

QNAP Advisory #1 - QNAP published an advisory describing an improper authentication vulnerability in their VS Series NVR.

QNAP Advisory #2 - QNAP published an advisory describing a command injection vulnerability in their VS Series NVR.

VMware Advisory - VMware published an advisory describing two vulnerabilities in their vCenter Server.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 and MC Works64 advisory that was originally published on October 21st, 2021.

PerFact Report - Claroty published a report describing vulnerabilities in VPN products in use in industrial applications including a previously unpublished server-side request forgery vulnerability in products from PerFact.

Philips Report - Nozomi Networks published a report describing five vulnerabilities in patient monitoring products from Philips.

ModbusTools Exploit - Yehia Elghaly published an exploit for an improper restriction of operations within the bounds of a memory buffer vulnerabilty in the Modbus Slave tool from ModbusTools.

For more details on these advisories, updates, reports and exploits, including links to supporting third-party vulnerabilities, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-857 - subscription required.

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Tuesday, May 11, 2021

15 Advisories Published – 5-11-21

Today CISA’s NCCIC-ICS published fifteen control system security advisories for products from Siemens (13), Mitsubishi, and Omron. NCCIC-ICS also published six updates today, I will cover them in a separate blog post tomorrow.

SIMATIC Advisory #1

This advisory describes two vulnerabilities in the Siemens SIMATIC S7-1500 CPU 1518F-4. These are third-party (Intel) vulnerabilities. Siemens provides generic work arounds to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper initialization - CVE-2020-8744, and

• Improper restriction of operation within the bound of a memory buffer - CVE-2020-0591

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow unauthorized privilege escalation.

SCALANCE Advisory #1

This advisory describes 19 vulnerabilities in the Siemens SCALANCE W1750D. These are third-party vulnerabilities (Aruba Instant Access Points). Siemens has a new version that mitigates the vulnerabilities.

The 19 vulnerabilities are:

• Improper authentication (2) - CVE-2019-5317 and CVE-2021-25143,

• Classic buffer overflow (3) - CVE-2019-5319, CVE-2021-25144, and CVE-2021-25149,

• Command injection (5) - CVE-2020-24635, CVE-2020-24636, CVE-2021-25146, CVE-2021-25150, and CVE-2021-25162,

• Improper input validation (7) - CVE-2021-25145, CVE-2021-25148, CVE-2021-25155, CVE-2021-25156, CVE-2021-25157, CVE-2021-25159, and CVE-2021-25160,

• Race condition - CVE-2021-25158, and

• Cross-site scripting - CVE-2021-25161

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute arbitrary code as a privileged user on the underlying operating system, fully compromise the underlying operating system, overwrite sensitive system files, create a denial-of-service condition, execute arbitrary script code in a victim’s browser, read arbitrary files off the underlying file system, create an attacker named directory, corrupt backup files, or obtain sensitive information.

NOTE: I briefly discussed the Aruba vulnerabilities back in March.

SINAMICS Advisory #1

This advisory describes a missing authentication for critical function in the Siemens SINAMICS Medium Voltage Products. This vulnerability is self-reported. Siemens has new versions that mitigate the vulnerablity.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to gain full remote access to the HMI.

NOTE: This same Telnet service vulnerability was reported in the Siemens SIMATIC HMI Comfort Panels back in February.

SIMATIC Advisory #2

This advisory describes seven vulnerabilities in the Siemens SIMATIC HMIs/WinCC products. These are third-party (SmartVNC) vulnerabilities. Siemens has updates that mitigate the vulnerabilities. Siemens has updates that mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• Access of memory location after end of buffer (3) - CVE-2021-25660, CVE-2021-25661, and CVE-2021-27384,

• Improper handling of exceptional conditions - CVE-2021-25662,

• Improper restriction of operations within the bounds of a memory buffer (2) - CVE-2021-27383 and CVE-2021-27386,

• Uncontrolled resource consumption - CVE-2021-27385,

NCCIC-ICS reported that an uncharacterized attacker could remotely exploit the vulnerabilities to allow remote code execution, information disclosure and denial of service attacks under certain conditions.

SIMATIC Advisory #3

This advisory describes ten vulnerabilities in the Siemens SIMATIC HMIs/WinCC Products. These are third party (UltraVNC) vulnerabilities. Siemens has updates that mitigate the vulnerabilities.

The ten reported vulnerabilities are:

• Improper initialization (2) - CVE-2019-8259 and CVE-2019-8277,

• Out-of-bounds read (2) - CVE-2019-8260 and CVE-2019-8261,

• Heap-based buffer overflow - CVE-2019-8262,  

• Stack-based buffer overflow - CVE-2019-8263,

• Access memory location after buffer (3) - CVE-2019-8264, CVE-2019-8265, and CVE-2019-8280,

• Improper null termination - CVE-2019-8275,

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution, information disclosure, and denial-of-service attacks under certain conditions.

NOTE: These vulnerabilities were reported in the Siemens SINUMERIK products back in June of 2020. That advisory included 22 vulnerabilities.

SCALANCE Advisory #2

This advisory describes an incorrect calculation vulnerability in the Siemens SCALANCE XM-400, XR-500 products. The vulnerability is self-reported. Siemens has updates available that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated remote attacker to create a permanent denial-of-service condition.

Mendix Advisory #1

This advisory describes a generation of error message containing sensitive information in the Siemens Mendix Excel Importer. The vulnerability is self-reported. Mendix has an update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  expose information to unauthorized parties.

Tecnomatix Advisory

This advisory describes three vulnerabilities in the Siemens Tecnomatix Plant Simulation. The vulnerabilities were reported by Francis Provencher via the Zero Day Initiative. Siemens has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

•Stack-based buffer overflow - CVE-2021-27396 and CVE-2021-27398, and

• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-27397

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to arbitrary code execution.

SIMATIC Advisory #4

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC CP343-1 devices. The vulnerability is self-reported. Siemens has provided a generic workaround to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

SNMP Implementation Advisory

This advisory describes an out-of-bounds write vulnerability in the Siemens SNMP Implementation of WinCC Runtime. The vulnerability was reported by Younes Dragoni and Alessandro Di Pinto of Nozomi Networks. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to crash the SNMP service and require a manual restart of the device to resume operation of the service.

NOTE: Someone has been holding onto this vulnerability (CVE-2019-19276) for a while because there is no listing for it in either the NIST or Mitre databases.

Mendix Advisory #2

This advisory describes a generation of error message containing sensitive information vulnerability in the Siemens Mendix Database Replication Module. The vulnerability is self-reported. Mendix has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  gain access to sensitive information.

SINAMCS Advisory #2

This advisory describes a missing authentication for critical function vulnerability in the Siemens SINAMICS Medium Voltage Products. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to gain full remote access to the HMI.

NOTE: The Siemens advisory (SSA-752103) mentioned in this advisory does not correspond to the CVE reported by NCCIC-ICS. In fact, the Siemens advisory CVE corresponds to ICSA-21-131-13 reported in SINAMICS Advisory #1 above which also references SSA-752103. None of the other Siemens’ advisories published today report CVE-2021-31337 that is being reported by NCCIC-ICS in this advisory, and that CVE appears to be well out of the current NCCIC-ICS CVE sequence. I am not sure what is going on here.

Siemens Linux Advisory  

This advisory describes a use of insufficiently random variables vulnerability in the Siemens Linux based products. This is the Sad DNS vulnerability and proof-of-concept code is available on the report site. Siemens has updates available to mitigate the vulnerability in some of the affected products.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to compromise confidentiality and integrity.

NOTE: Siemens has previously added CVE for this vulnerability to their generic GNU/Linux subsystem advisory.

Mitsubishi Advisory

This advisory describes a buffer access with incorrect length vulnerability in the Mitsubishi GOT and Tension Controller. The vulnerability was reported by Parul Sindhwad and Dr. Faruk Kazi of COE-CNDS Lab, VJTI, Mumbai, India. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to to stop the communication function of the products, requiring a reset to regain functionality.

Omron Advisory

This advisory describes a stack-based buffer overflow in the Omron CX-One automation software suite. The vulnerability was reported by rgod via ZDI. Omron has an updated version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to may allow arbitrary code execution.

Other Advisories

Siemens published one other advisory today that was not reported by NCCIC-ICS. If it is not covered Thursday by NCCIC-ICS then I will discuss it this weekend.

Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)
 
/* Use this with templates/template-twocol.html */