Review - Public ICS Disclosures – Week of 8-28-21

This week we have sixteen vendor disclosures from ABB, Aruba Networks, Baxter, WAGO (3), Hitachi ABB Power Grids, Hewlett Packard Enterprise, Mitsubishi (2), Moxa (2), OPC Foundation, Philips, and QNAP (2). We also have three vendor updates from CODESYS. There are also 20 researcher reports for products from Fuji Electric. Finally, we have an exploit for products from Geutebruck.

ABB Advisory - ABB published an advisory describing a remote code execution vulnerability in their Base Software for SoftControl product.

Aruba Advisory - Aruba published an advisory describing 15 vulnerabilities in their ArubaOS product.

Baxter Advisory - Baxter published an advisory discussing the PrintNightmare vulnerability.

WAGO Advisory #1 - CERT VDE published an advisory describing an improper authentication and access control vulnerability in the WAGO 750-36X and WAGO 750-8XX products.

WAGO Advisory #2 - CERT VDE published an advisory discussing two out-of-bounds read vulnerabilities in the e!COCKPIT and WAGO-I/O-Pro products.

WAGO Advisory #3 - CERT VDE published an advisory describing a missing release of resources after effective lifetime vulnerability in WAGO PLCs.

Hitachi ABB Advisory - Hitachi ABB published an advisory describing a clear-text storage of sensitive information vulnerability in their System Data Manager – SDM600 products.

HPE Advisory - HPE published an advisory discussing two vulnerabilities in the SGI UV 300/3000 and HPE Integrity MC990 X Servers.

Mitsubishi Advisory #1 - Mitsubishi published an advisory discussing the FragAttacks WiFi vulnerabilities.

Mitsubishi Advisory #2 - Mitsubishi published an advisory discussing the BadAlloc vulnerabilities (Amazon FreeRTOS is the specific product involved here).

Moxa Advisory #1 - Moxa published an advisory describing 59 vulnerabilities in their TAP-323, WAC-1001, and WAC-2004 Series Wireless AP/Bridge/Client.

Moxa Advisory #2 - Moxa published an advisory describing 59 vulnerabilities in their OnCell G3470A-LTE and WDR-3124A Series Cellular Gateways/Router.

OPC Foundation - OPC Foundation published an advisory describing an access of memory location after end-of-buffer vulnerability in their Local Discovery Server.

Philips Advisory - Philips published an advisory discussing the HiveNightmare vulnerability.

QNAP Advisory #1 - QNAP published an advisory describing two vulnerabilities in their QNAP NAS running HBS 3.

QNAP Advisory #2 - QNAP published an advisory describing an out-of-bounds read vulnerability in their QNAP NAS running QTS, QuTS hero, and QuTScloud.

CODESYS Update #1 - CODESYS published an update for their V3 web server advisory that was originally published on May 19^th, 2021 and most recently updated on July 22^nd, 2021.

CODESYS Update #2 - CODESYS published an update for their V3 web server that was that was originally published on July 15^th, 2021.

CODESYS Update #3 - CODESYS published an update for their Gateway V3 advisory that was originally published on July 15^th, 2021.

Fuji Electric Reports - The Zero Day Initiative published 20 reports describing 0-day vulnerabilities in the Fuji Tellus Lite V-Simulator.

Geutebruck Exploit - Titouan Lazard, Sebastien Charbonnier, and Ibrahim Ayadhi published a Metasploit module for eight previously reported vulnerabilities in the Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices.

 

For more details on the advisories and reports, including links to third-party reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8 - subscription required.

Review - Public ICS Disclosures – Week of 8-21-27

This week we have six vendor disclosures from B&R, OPC Foundation, HPE, Red Lion, VMware (2). We also have one update from Mitsubishi. We also have one researcher report for products from Braun.

B&R Advisory - B&R published an advisory discussing the INFRA:HALT vulnerabilities.

OPC Foundation Advisory - The OPC Foundation published an advisory describing an access of memory location after end of buffer vulnerability in their Local Discovery Server (LDS).

HPE Advisory - HPE published an advisory describing five vulnerabilities in their FlexNetworking, Flexfabric, and MSR switches and routers.

Red Lion Advisory - Red Lion published an advisory describing an SSH port forwarding vulnerability in their DA50A and DA70A modular gateways.

VMware Advisory #1 - VMware published an advisory describing a cross-site scripting vulnerability in their vRealize Log Insight.

VMware Advisory #2 - VMware published an advisory describing six vulnerabilities in their vRealize Operations product.

Mitsubishi Update - Mitsubishi published an update for their TCP Protocol Stack advisory that was originally published on September 1^st, 2020 and most recently updated on May 18^th, 2021

Braun Report - McAffee published a report describing five vulnerabilities in the B Braun Infusomat Space Large Volume Pump.

 

For more details on these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-9fc - subscription required.

4 Advisories Published – 5-13-21

Today CISA’s NCCIC-ICS published four control system security advisories for products from Unified Automation, OPC Foundation, Johnson Controls, and Rockwell.

Unified Automation Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Unified Automation .NET based OPC UA Client/Server SDK Bundle. The vulnerability was reported by Eran Jacob with the Otorio Research Team. UA has new software to mitigate the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to read any file on the file system.

 

NOTE: NCCIC-ICS reports that the vulnerability was originally documented by Microsoft in CVE-2015-6096.

OPC Foundation Advisory

This advisory describes an uncontrolled recursion vulnerability in the OPC Foundation OPC UA Servers. The vulnerability was reported by Eran Jacob with the Otorio Research Team. OPC has an update that mitigates the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to trigger a stack overflow.

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in the Sensormatic Electronics Tyco AI. This is a third-party (SUDO) vulnerability with multiple published exploits (see here, here, and here for instance). Johnson Controls has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to obtain super-user access to the underlying openSUSE Linux operating system.

NOTE: The Johnson Control advisory says the product is the American Dynamics Tyco AI.

Rockwell Advisory

This advisory describes three vulnerabilities in the Rockwell Connected Components Workbench. The vulnerability was reported by Mashav Sapir of Claroty. Rockwell has a new version that mitigates the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2021-27475,

• Path traversal - CVE-2021-27471, and

• Improper input validation - CVE-2021-27473

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution, authentication bypass, or privilege escalation.

Public ICS Disclosures – Week of 04-11-20

This week we have five vendor disclosures for products from Schneider (4) and OPC Foundation. We also have nine updated advisories for products from Schneider (4) and Siemens (5).

Schneider Advisories

Schneider published an advisory describing an injection vulnerability in their Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic products. The vulnerability was reported by Seok Min Lim and Johnny Pan of Trustwave. Schneider has updated software and firmware that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two vulnerabilities in their Modicon M218/M241/M251/M258 Logic Controllers, SoMachine & SoMachine Motion, and EcoStruxure Machine Expert products. The vulnerabilities were reported by Rongkuan Ma, Shunkai Zhu and Peng Cheng of 307Lab. Schneider has new versions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Insufficient verification of data authenticity - CVE-2020-7487; and

• Clear-text transmission of sensitive data - CVE-2020-7488

Schneider published an advisory describing an untrusted search path vulnerability in their Vijeo Designer and Vijeo Designer Basic Software products. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing four vulnerabilities in their legacy Triconex product. These vulnerabilities are self-reported. Schneider reports that newer versions corrected the vulnerabilities.

The four reported vulnerabilities are:

• Password vulnerability (2) - CVE-2020-7483 and CVE-2020-7484;

• Improper access - CVE-2020-7485; and

• Denial of service - CVE-2020-7486

OPC Foundation Advisory

OPC published an advisory describing an malformed message vulnerability in their UA .NET Standard Stack. The vulnerability was reported by Steven Seeley (mr_me) and Chris Anastasio (muffin) via the Zero Day Initiative. OPC has updates available that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Updates

Schneider has published an update for their Urgent/11 advisory that was originally published on August 2^nd, 2019 and most recently updated on March 11^th, 2020. The new information includes updated mitigation information for:

• ION7400 MID; and

• PM8000 MID

Schneider has published an update for their Modicon Controllers advisory that was originally published on November 12^th, 2019. The new information includes the addition of a new hard-coded credentials vulnerability - CVE-2019-6859.

Schneider has published an update for their Andover Continuum advisory that was originally published on March 10^th, 2020. The updated information includes an explanation that the code injection vulnerability is a third-party MS-XML library vulnerability.

Schneider has published an update for their Modicon Controllers advisory that was originally published on December 10^th, 2019. The updated information includes:

• Adding Modicon M340 and M580 to affected product list;

• Adding a hotfix link and adding further details to the mitigation measures;

• Adding updated firmware links; and

• Adding Enrique Murias Fernández of Tecdesoft Automation to the acknowledgements.

Siemens Updates

Siemens published an update for an advisory for Intel CPUs that was originally published on February 11^th, 2020 and most recently updated on March 10^th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET 200SP Open Controller CPU 1515SP PC2.

Siemens published an update for an advisory for Industrial Products that was originally published on January 14^th, 2020. The new information includes explicitly mentioning old versions of SIMATIC NET.

Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27^th, 2018 and most recently updated on February 11^th, 2020. The new information includes adding the following new vulnerabilities:

• CVE-2015-5895;

• CVE-2019-19447;

• CVE-2019-19603;

• CVE-2019-19645,

• CVE-2019-19646;

• CVE-2019-19880;

• CVE-2019-19923;

• CVE-2019-19924;

• CVE-2019-19925;

• CVE-2019-19926;

• CVE-2019-19959;

• CVE-2019-20218;

• CVE-2020-8428;

• CVE-2020-8492;

• CVE-2020-9327;

• CVE-2020-10029; and

• CVE-2020-10942

Siemens published an update for their SIMATIC advisory that was originally published on July 30^th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: ICS-CERT published advisory ICSA-12-212-02 covering this vulnerability, but has not yet updated (and may not update) that advisory.

Siemens published an update for their SIMATIC advisory that was originally published on July 30^th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: This advisory was lumped into the ICS-CERT advisory described above.

Yet Another Schneider Advisory from ICS-CERT

Today the DHS ICS-CERT published yet another advisory for a vulnerability in a product from Schneider Electric. This one is for a buffer overflow vulnerability in the OPC Factory Server (OFS). The vulnerability was reported by Wei Gao, formerly of IXIA. Schneider has produced an update that mitigates the vulnerability and Wei Gao has verified the efficacy of the patch. Interestingly the Schneider published advisory does not mention Wei Gao.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this ActiveX based vulnerability to execute a denial of service attack by causing the device to re-boot.

Schneider reports that the patch includes a patched version of the OLE2T macro from Microsoft. This is also noted in the ICS-CERT advisory. I wonder what other programs are using the vulnerable version of OLE2T?

NOTE: The Schneider security site pointed to by this advisory also includes a link to another update of the Modbus Driver Advisory that I most recently updated on Tuesday.