Review – 5 Advisories and 2 Updates Published – 12-19-23

Today, CISA’s NCCIC-ICS published five control system security advisories for products from EuroTel, Open Design Alliance, EFACEC (2), and Subnet Solutions. They also updated two advisories for products from Mitsubishi and Johnson Controls.

Advisories

EuroTel Advisory - This advisory describes three vulnerabilities in the EuroTel ETL3100 radio transmitter.

ODA Advisory - This advisory describes three vulnerabilities in the ODA Drawing SDK tool.

EFACEC Advisory #1 - This advisory describes four vulnerabilities in the EFACEC UC 500E HMI.

EFACEC Advisory #2 - This advisory describes two vulnerabilities in the EFACEC BCU 500 automation and control IED.

Subnet Advisory - This advisory describes an unquoted search path or element vulnerability in the Subnet PowerSYSTEM Center multi-function management platform.

Updates

Mitsubishi Update - This update provides additional information on the MELSEC iQ-R, Q and L Series advisory that was originally published on October 29^th, 2020 and most recently updated on April 4^th, 2022.

Johnson Controls Update - This update provides additional information on the Johnson Controls Metasys and Facility Explorer that was originally published on December 7^th, 2023.

 

For more details about these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-2c9 - subscription required. 

Review – Public ICS Disclosures – Week of 2-4-23

This week we have eleven vendor disclosures from ABB, Baicells, Dahua, Palo Alto Networks (5), Ruckus, and Zyxel Networks (2). We also have three vendor updates from CONTEC, HPE, and Moxa. Finally, we have thirteen researcher reports on products from Siemens, and Open Design Alliance (12).

NOTE: There have been problems with the NIST NVD CVE listings this morning. They have been slow to load or have not been found. Hopefully this will be corrected in the near future.

Vendor Disclosures

Baicells Advisory - Baicells published an advisory that describes a cross-site scripting vulnerability in their Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices.

Dahua Advisory - Dahua published an advisory that describes an unauthorized modification of device timestamp vulnerability in some of their embedded products.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that discusses an improper privilege management vulnerability in SUDO.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that discusses the OpenSSL vulnerabilities disclosed Feb 7, 2023.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes a protection mechanism failure vulnerability in their Cortex XDR agent.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that describes an information disclosure vulnerability in their Cortex XDR agent.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes a file disclosure vulnerability in their Cortex XSOAR server.

Ruckus Advisory - Ruckus published an advisory that describes a cross-site request forgery vulnerability in multiple products using their AP Web application.

NOTE: Multiple end-of-life products are listed as being affected by this vulnerability.

Zyxel Advisory #1 - Zyxel published an advisory that describes a command injection vulnerability in their firewalls.

Zyxel Advisory #2 - Zyxel published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their Aps.

Vendor Updates

CONTEC Update - JP CERT published an update for their Solar View Compact advisory that was originally published on May 26^th, 2022 and most recently updated on December 13^th, 2022.

HPE Update - HPE published an update for their OneView advisory that was originally published on January 31^st, 2023.

Moxa Update - Moxa published an update for their UC Series advisory that was originally published on November 29^th, 2023.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-333-04) for this new information.

Researcher Reports

Siemens Report - Otorio published a report describing two vulnerabilities in the Siemens Automation License Manager.

ODA Report #1 - The Zero Day Initiative published a report that describes a memory corruption vulnerability in the ODA Drawing SDK.

ODA Report #2 - ZDI published a report that describes a memory corruption vulnerability in the ODA Drawing SDK.

ODA Report #3 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report # 4 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #5 - ZDI published a report that describes a heap-based buffer overflow vulnerability in the ODA Drawing SDK.

ODA Report #6 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #7 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #8 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report # 9 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #10 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #11 - ZDI published a report that describes a heap-based buffer overflow vulnerability in the ODA Drawing SDK.

ODA Report #12 - ZDI published a report that describes a use-after-free vulnerability in the ODA Drawing SDK.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-6e9 - subscription required.

Review – 18 Advisories Published – 7-14-22

Today, CISA’s NCCIC-ICS published 18 control system security advisories for products from Open Design Alliance and Siemens (17). They also published twelve updates that I will cover in a separate post. Siemens published one more advisory on Tuesday that was not covered by NCCIC-ICS today. I will cover it this weekend.

Open Design Alliance Advisory - This advisory describes three out-of-bounds read vulnerabilities in the Open Design Alliance Drawings SDK platform.

RUGGEDCOM Advisory #1 - This advisory describes a code injection vulnerability in the Siemens RUGGGEDCOM ROS based devices.

NOTE: The Siemens advisory lists affected products for which no fix is planned.

RUGGEDCOM Advisory #2 - This advisory describes a code injection vulnerability in the Siemens RUGGEDCOM ROX based devices.

Opcenter Advisory - This advisory describes an incorrect implementation of authentication algorithm in the Siemens Opcenter Quality quality management system.

EN100 Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens EN100 Ethernet Module.

NOTE: The Siemens advisory lists four of the five affected products as having no fix planned.

SIMATIC Advisory #1 - This advisory describes two vulnerabilities in the Siemens SIMATIC eaSie digital automation manager.

SIMATIC Advisory #2 - This advisory describes two vulnerabilities in the Siemens SIMATIC MV500 Optical Readers. The vulnerabilities are self-reported.

CPC80 Advisory - This advisory describes a missing release of resource after effective lifetime vulnerability in the Siemens CPC80 Firmware of SICAM A8000.

Mendix Advisory #1 - This advisory describes an improper access control vulnerability in the Siemens Mendix application platform.

Mendix Advisory #2 - This advisory describes an injection vulnerability in the Siemens Mendix Applications.

Mendix Advisory #3 - This advisory describes an XML entity expansion vulnerability in the Mendix Excel Importer Module.

SRCS VPN Advisory - This advisory describes three vulnerabilities in the Siemens SIMATIC CP Devices when using SRCS VPN.

Simcenter Advisory #1 - This advisory describes an out-of-bounds read vulnerability in the Siemens Simcenter Femap and Parasolid products.

Simcenter Advisory #2 - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap complex model simulator.

PADS Advisory - This advisory describes 20 vulnerabilities in the Siemens PADS Standard and Standard Plus PCB schematic design and layout environment.

NOTE: Siemens reports that no fix is planned.

Datalogics Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Siemens Teamcenter Visualization and JT2Go products.

SICAM Advisory - This advisory describes an exposure of resource to wrong sphere vulnerability in the Siemens SICAM GridEdge software.

SCALANCE Advisory - This advisory describes three vulnerabilities in the Siemens SCALANCE X Switch Devices.

 

For more details on these advisories, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/18-advisories-published-7-14-22 - subscription required.

Review - Public ICS Disclosure – Week of 1-8-22 – Part 1

This week, as we have come to expect for the Saturday after 2^nd Tuesday, we have a full slate of ICS disclosures, including more Log4Shell disclosures, that will take multiple posts to deal with. In Part 1 we have fourteen vendor disclosures from Belden, Blackberry, Dynalite, Hitachi Energy, HPE, Moxa, Palo Alto Networks (4), QNAP (3), and Yokogawa. There is also an update from HPE. There were also two researcher reports for products from IDEMIA and ODA. Finally, we have an exploit for products from SonicWall.

Part 2 of this post will address the Schneider advisories and updates that were published on Tuesday as well as the Siemens updates that were not addressed by NCCIC-ICS this week.

Belden Advisory - Belden published an advisory describing six vulnerabilities in their Tofino and Eagle products.

BlackBerry Advisory - BlackBerry published an advisory describing an elevation of privilege vulnerability in their QNX Neutrino Kernel.

Dynalite Advisory - Dynalite published an advisory discussing two vulnerabilities in their DDNG-BACnet gateway and in Niagara SOFTJACE products.

Hitachi Energy Advisory - Hitachi Energy published an advisory discussing four vulnerabilities in their e-mesh™ Energy Management System (EMS) Product.

HPE Advisory HPE published an advisory describing a remote access vulnerability in their Ezmeral Data Fabric.

Moxa Advisory - Moxa published an advisory describing four vulnerabilities in their VPort 06EC-2V Series and VPort 461A Series IP Cameras and Video Servers.

Palo Alto Advisory #1 - Palo Alto published an advisory describes an uncontrolled search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #2 - Palo Alto published an advisory describes an untrusted search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #3 - Palo Alto published an advisory describing a link following vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #4 - Palo Alto published an advisory describing a file and directory information exposure vulnerability in their Cortex XDR Agent.

Phoenix Contact Advisory - Phoenix Contact published an advisory discussing the NUCLEUS:13 vulnerabilities in their BLUEMARK X1 / LED / CLED printers.

QNAP Advisory #1 - QNAP published an advisory describing a remote code execution vulnerability in their QTS and QuTS hero products.

QNAP Advisory #2 - QNAP published an advisory describing five separate classic buffer overflow vulnerabilities in their QVR Elite, QVR Pro, and QVR Guard products.

QNAP Advisory #3 - QNAP published an advisor describing two vulnerabilities in their QcalAgent.

Yokogawa Advisor - Yokogawa published an advisory discussing a link following vulnerability in the license function in Yokogawa products.

HPE Update - HPE published an update for their Integrated Lights-out 4 advisory that was originally published  on August 23^rd, 2017.

IDEMIA Report - Positive Technologies published a report of a TLS bypass vulnerability in biometric identification vulnerabilities in products from IDEMIA.

ODA Report - ZDI published a report describing a JPG File Parsing Memory Corruption in the Open Design Alliance (ODA) Drawings Explorer.

SonicWall Exploit - jbaines-r7 published Metasploit module for a command injection vulnerability in the SonicWall SMA 100 Series.

For more details on the above disclosures, including links to 3^rd party advisories and vulnerability exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-1-8 - subscription required.

Review - Public ICS Disclosure – Week of 12-18-21 – Part 1

Merry Christmas. This has been another busy week for ICS disclosures. Part 1 today will be normal vulnerabilities and Part 2 (probably tomorrow) will be Log4Shell disclosures.

This week we have six vendor disclosures from ABB, IDEC Corporation, QNAP, Hitachi Energy (2), and Johnson Controls. We also have twelve researcher reports for products from Garrett (7) and Open Design Alliance (5).

ABB Advisory - ABB published an advisory describing an MMS file transfer vulnerability in their Distribution Automation products.

IDEC Advisory - JPCERT published an advisory [link added 18:40 EST 1-6-22] for four vulnerabilities in the IDEC PLCs.

QNAP Advisory - JPCERT published an advisory describing two vulnerabilities in the QNAP VioStar series NVR.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory describing four vulnerabilities in their LinkOne product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisor discussing seven vulnerabilities in their Data Manager (SDM600) product.

Johnson Controls Advisory - Johnson Controls published an advisory describing an unspecified vulnerability in their American Dynamics VideoEdge NVR.

NOTE: It looks like this has been reported to NCCIC-ICS, so we may see an advisory from them next week

Garrett Reports - Talos published seven reports covering nine vulnerabilities in the Garrett Metal Detectors used for security screening.

ODA Reports - The Zero Day Initiative published five reports covering vulnerabilities in the ODA Drawings Explorer product.

For more details on these advisories, including links to third-party advisories, see my report at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-12 - subscription required.

Review - Public ICS Disclosures – Week of 11-13-21 – Part 2

For Part 2 we have six vendor disclosures from Flexera, HPE, Meinberg, QNAP, Tanzu, and VMware. There as an update from CODESYS. We also have six researcher reports about vulnerabilities in products from LibreCad (3) and Open Design Alliance (3).

Flexera Advisory - Flexera published an advisory describing an open redirect vulnerability in their FlexNet Publisher.

HPE Advisory - HPE published an advisory discussing four vulnerabilities in their Fibre Channel Host Bus Adapters.

Meinberg Advisory - Meinberg published an advisory describing six vulnerabilities in their LANTIME-Firmware.

QNAP Advisory - QNAP published an advisory describing a cross-site scripting vulnerability in their NAS running Ragic Cloud DB.

Tanzu Advisory - Tanzu published an advisory describing a code injection vulnerability in their Spring Cloud Netflix Hystrix Dashboard.

VMware Advisory - VMware published an advisory describing a privilege escalation vulnerability in their VMware Center Server.

CODESYS Update - CODESYS published an update for their Gateway V3 advisory that was originally published on March 29^th, 2021  and most recently updated on May 18^th, 2021.

LibreCad Report #1 – Talos published a report describing a use after free vulnerability in the LibreCad libdxfrw. This is a coordinated disclosure.

LibreCad Report #2 - Talos published a report describing an improper restriction of operations within the bounds of a memory buffer in the LibreCad libdxfrw.

LibreCad Report #3 - Talos published a report describing an out-of-bounds write vulnerability in the LibreCad libdxfrw.

ODA Report #1 - ZDI published a report describing a use-after-free vulnerability in the ODA ODAviewer product.

ODA Report #2 - ZDI published a report describing an out-of-bounds read vulnerability in the ODA ODAviewer product.

ODA Report #3 - ZDI published a report describing an out-of-bounds read vulnerability in the ODA ODAviewer product.

For more details about these advisories and reports, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-e7c - subscription required.

Review - Public ICS Disclosures – Week of 11-6-21 – Part 1

This week we have twelve vendor disclosures from Blackberry, Draeger, Open Design Alliance, HPE (4), Milestone, Phoenix Contact, QNAP, and VMware (2). There is also an update from CODESYS. Finally, we have a research report from Forescout on the plethora of TCP/IP vulnerability disclosures.

I will cover the remaining Siemens and Schneider advisories and updates that were published Tuesday, but not yet covered by NCCIC-ICS in Part 2.

Blackberry Advisory - Blackberry published an advisory describing three vulnerabilities in their Protect for Windows product.

Draeger Advisory - Draeger published an advisory discussing the NUCLEUS:13 vulnerabilities.

ODA Advisory - Incibe Cert published an advisory describing nine vulnerabilities in the ODAViewer.

HPE Advisory #1 - HPE published an advisory describing an arbitrary code execution vulnerability in their ProLiant Gen10 Plus Servers.

HPE Advisory #2 - HPE published an advisory describing 15 vulnerabilities in their ProLiant and Apollo Gen10 and Gen10 Plus servers.

HPE Advisory #3 - HPE published an advisory discussing  three vulnerabilities in their ProLiant, Apollo, Synergy Gen10 and Gen10 Plus Servers.

HPE Advisory #4 - HPE published an advisory discussing an escalation of privilege vulnerability in their ProLiant, Apollo, Edgeline, and Synergy Servers.

Milestone Advisory - Milestone published an advisory describing an arbitrary file access vulnerability in their XProtect DLNA server.

Phoenix Contact Advisory - Phoenix Contact published an advisory describing two vulnerabilities in their FL MGUARD 1102/1105 products.

QNAP Advisory - QNAP published an advisory describing a cross-site scripting vulnerability in their NAS running QmailAgent.

VMware Advisory #1 - VMware published an advisory describing a privilege escalation vulnerability in their vCenter Server.

VMware Advisory #2 - VMware published an advisory discussing a denial-of-service vulnerability in their Tanzu Application Service for VMs.

CODESYS Update - CODESYS published an update for their V2 web server advisory that was originally published on October 25, 2021.

TCP/IP Vulnerability Report - Forescout published an overview report on the recent spate of TCP/IP stack vulnerability reports.

For more details on these advisories and updates, including links to 3^rd party reports, researcher reports and exploits, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11 - subscription required.

Review - 14 Advisories Published – 6-8-21

Today CISA’s NCCIC-ICS published fourteen control system security advisories for products from Siemens (8), Thales, Schneider Electric (2), AVEVA, Open Design Alliance, and Johnson Controls. NCCIC-ICS also published ten updates today, they will be addressed in a separate blog post tomorrow.

Siemens Advisories

• JT2Go Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens JT2Go and Teamcenter Visualization products.

• SIMATIC Advisory #1 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC RF Products.

• Simcenter Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap products.

• SIMATIC Advisory #2 - This advisory describes fifteen vulnerabilities in the Siemens SIMATIC NET CP 443-1 OPC UA product.

• SIMATIC Advisory #3 - This advisory describes two vulnerabilities in the Siemens SIMATIC TIM 1531 IRC.

• Solid Edge Advisory - This advisory describes two out-of-bounds write vulnerability in the Siemens Solid Edge products.

• TIM Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens TIM 1531 IRC.

• Mendix Advisory - This advisory describes an insufficient verification of data authenticity vulnerability in the Siemens Mendix SAML Module.

Thales Advisory

This advisory describes an incomplete cleanup vulnerability in the Thales Sentinel LDK Run-Time Environment (RTE).

Schneider Advisories

Modicon Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider Modicon X80 product

IGSS Advisory - This advisory describes thirteen vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS).

NOTE: Schneider published four additional advisories today. If they are not addressed by NCCIC-ICS on Thursday, I will discuss them in my Public ICS Disclosure post this weekend.

AVEVA Advisory

This advisory describes a clear-text storage of sensitive information in memory vulnerability in the AVEVA InTouch 2020 R2 product.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

ODA Advisory

This advisory describes eight vulnerabilities in the ODA Drawings SDK product.

Johnson Controls Advisory

This advisory describes an improper privilege management vulnerability in the Johnson Controls Metasys Servers, Engines, and Tools.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

For a more detailed discussion of these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-published-6-8-21. Subscription required.

2 Updates Published – 5-6-21

Today CISA’s NCCIC-ICS updated two control system security advisories for products from Open Design Alliance and multiple RTOS vendors.

ODA Update

This update provides additional information on an advisory that was originally published on February 16^th, 2021. The new information includes:

• Adding a new out-of-bounds write vulnerability, and

• Adding a new affected product that is only affected by the new vulnerability.

NOTE: I briefly described the new vulnerability last Saturday.

Multiple RTOS Update

This update provides additional information on the BadAlloc advisory that was originally published on April 29^th, 2021. The new information includes adding:

• Four new integer overflow or wraparound vulnerabilities – CVE-2021-27411, CVE-2021-26706, CVE-2021-27407, and CVE-2020-13603,

• Two new affected products - Micrium uC/LIB and Zephyr Project RTOS, and

• Mitigation measures for the new products.

NOTE: I mentioned the possibility that there would be additional RTOS that were affected last Friday.

Public ICS Disclosures – Week of 4-24-21

This week we three vendor NAME:WRECK disclosures from Boston Scientific, Braun, and Rockwell. We also have 14 vendor disclosures from Beckhoff, Bosch (2), B&R Industrial Automation, MB connect, CODESYS (5), Moxa, ODA, and Texas Instruments (2). We have five researcher reports for products from Advantech (4) and Siemens. Finally, we have exploits for products from OpenPLC and VMWare.

NAME:WRECK Advisories

Boston Scientific published an advisory discussing the NAME:WRECK vulnerabilities, announcing that they are investigating to see if any of their products are affected.

Braun published an advisory discussing the NAME:WRECK vulnerabilities, announcing that none of their ‘connected devices’ are affected.

Rockwell published an advisory discussing the NAME:WRECK vulnerabilities, providing a list of affected products and fixed versions.

Beckhoff Advisory

Beckhoff published an advisory describing an improper input validation vulnerability in their TwinCAT OPC UA Server and IPC Diagnostics UA Server. The vulnerability was reported by Industrial Control Security Laboratory of QI-ANXIN Technology Group. Beckhoff has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Bosch Advisories

Bosch published an advisory describing seven vulnerabilities in their ctrlX CORE - IDE App. These are third-party (OpenSSL and Python) vulnerabilities. The next version of the product will mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• Improper encoding or escaping of output - CVE-2020-26116 (exploit),

• Inadequate information (NIST ?) - CVE-2020-27619,

• HTTP request smuggling - CVE-2021-23336 (exploit),

• Integer overflow or wraparound - CVE-2021-23840, CVE-2021-23841,

• Classic buffer overflow - CVE-2021-3177 (exploit), and

• NULL pointer dereference - CVE-2021-3449

Bosch published an advisory describing an FTP backdoor in their Rexroth Fieldbus Couplers. Bosch provides generic workarounds.

B&R Advisory

B&R published an advisory describing an uncontrolled resource consumption vulnerability in their  I/O system and HMI components. This is a third-party (Siemens) vulnerability. B&R provides generic workarounds.

MB Advisory

CERT-VDE published an advisory discussing the DNSpooq vulnerabilities in the MB connect mbNET products. MB connect has new versions that mitigate the vulnerabilities.

CODESYS Advisories

CODESYS published an advisory [.PDF download link] describing a cross-site request forgery vulnerability in their CODESYS Automation Server. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing a NULL pointer dereference vulnerability in their CODESYS V3 products containing the CmpGateway. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing an insufficient verification of data authenticity vulnerability in their Development System V3. The vulnerability was reported by an OEM customer. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing describing an insufficient verification of data authenticity vulnerability in their Development System V3. The vulnerability was reported by Uri Katz of Claroty. CODESYS has a new version that mitigates this vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory [.PDF download link] describing an improper input validation vulnerability in their V3 products and Control V3 Runtime System Toolkit. The vulnerability was reported by Alexander Nochvay from Kaspersky Lab ICS CERT. CODESYS has a new version that mitigates the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

Moxa Advisory

Moxa published an advisory describing four vulnerabilities in their NPort IA5000A Series Serial Device Servers. The vulnerability was reported by Alexander Nochvay from Kaspersky Lab ICS CERT. Moxa has a new version to mitigate one of the vulnerabilities and workarounds for the others. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities:

• Improper access control - CVE-2020-27149,

• Unprotected storage of credentials - CVE-2020-27150,

• Cleartext transmission of sensitive information (2) - CVE-2020-27184 and CVE-2020-27185

ODA Advisory

ODA published an advisory describing an out-of-bounds write vulnerability in their Open Design Alliance Drawings SDK. ODA has a new version that mitigates the vulnerability.

NOTE: This is a very minimalist advisory.

TI Advisories

TI published an advisory discussing the BadAlloc vulnerabilities in their SimpleLink™ CC13XX, CC26XX, CC32XX and MSP432E4 products. TI provides generic work arounds for these vulnerabilities.

TI published an advisory describing an integer overflow vulnerability in their Networks Developers Kit. The vulnerability was reported by Omri Ben Bassat and David Atch of Microsoft. The product is no longer supported.

Advantech Report

The Zero Day Initiative published four reports for vulnerabilities in the Advantech WebAccess/HMI Designer products. The vulnerabilities were reported by kimiya and have been coordinated with NCCIC-ICS and an advisory from them is pending.

The four reported vulnerabilities are:

• Heap-based buffer overflow - ZDI-21-490 and ZDI-21-487,

• File parsing memory corruption- ZDI-21-489, and

• Out-of-bounds write - ZDI-21-488,

Siemens Report

ZDI published a report describing an information validation vulnerability in the Siemens JT2Go product. The vulnerability was reported by Michael DePlante. ZDI has been coordinating with NCCIC-ICS since last September.

OpenPLC Exploit

Fellipe Oliveira published an exploit for a remote code execution vulnerability in the OpenPLC product. There is no CVE provided and no indications of coordination with the vendor. This may be a 0-day vulnerability.

VMware Exploit

Egor Dimitrenko published a Metasploit module for two vulnerabilities in the VMware vRealize Operations Manager. The vulnerabilities were reported by VMware on March 31^st, 2021.

The two exploited vulnerabilities are:

• Server-side request forgery - CVE-2021-21975, and

• Arbitrary file write - CVE-2021-21983

3 Advisories and 1 Update Published – 2-16-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell and Open Design Alliance, as well as a medical device security advisory for products from Hamilton Medical. They also updated an advisory from M&M Software (WAGO).

Rockwell Advisory

This advisory describes an improper handling of length parameter inconsistency vulnerability in the Allen-Bradley MicroLogix 1100 Programmable Logic Controller. The vulnerability was reported by Talos. Rockwell advises upgrading to the Micrologic 1400, firmware v21.006 or higher.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in denial-of-service conditions.

NOTE: I briefly discussed this vulnerability on Saturday.

Open Design Alliance Advisory

This advisory describes six vulnerabilities in the Open Design Alliance Drawings SDK software development kit. The vulnerabilities were reported by Michael DePlante and rgod via the Zero Day Initiative. ODA has a newer version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2021-25178,

• Type confusion - CVE-2021-25177,

• Untrusted pointer dereference - CVE-2021-25176,

• Incorrect type conversion or cast - CVE-2021-25175, and

• Memory allocation with excessive size value (2) - CVE-2021-25174 and CVE-2021-25173

NCCIC-ICS reported that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow code execution in the context of the current process or cause a denial-of-service condition.

NOTE: These vulnerabilities were reported last week in NCCIC’s Siemens JT2Go and Teamcenter Visualization (ICSA-21-040-06) advisory and the Siemens advisory (SSA-663999) upon which it was based. Both advisories provided links to the ODA advisory. It will be interesting to see what other vendors use this ODA tool.

Hamilton Advisory

This advisory describes three vulnerabilities in the Hamilton-T1 Ventilator. The vulnerabilities were reported by Julian Suleder, Raphael Pavlidis, Nils Emmerich and Dr. Oliver Matula of ERNW Research. Hamilton recommends updating to newer versions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2020-27278,

• Missing XML validation - CVE-2020-27282, and

• Exposure of sensitive information - CVE-2020-27290

NCCIC-ICS reports that a relatively low-skilled attacker with physical access to the device could exploit the vulnerability to obtain sensitive information or crash the device being accessed.

NOTE: For those that are interested, here is the German BSI’s report on a whole slew of these vulnerabilities that were reported by ERNW Research for this BSI project. Not a lot of detail, but there are a lot of vulnerable devices.

WAGO Update

This update provides additional information on an advisory that was originally published on January 21^st, 2021 and most recently updated on February 4^th, 2021. The new information includes adding the Mitsubishi Electric MELSOFT FieldDeviceConfigurator as an affected product with a link to the Mitsubishi advisory.