2 Advisories and 1 Update Published – 6-15-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Automation Direct and ThroughTek. They also updated a medical device security advisory for products from OpenClinic.

Automation Direct Advisory

This advisory describes five vulnerabilities in the Automation Direct CLICK PLC CPU modules. The vulnerabilities were reported by Irfan Ahmed and Adeen Ayub of Virginia Commonwealth University and Hyunguk Yoo of the University of New Orleans. Automation Direct has new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Authentication bypass using alternate path or channel - CVE-2021-32980, CVE-2021-32984, and CVE-2021-32986,

• Clear-text transmission of sensitive information - CVE-2021-32982, and

• Unprotected storage of credentials - CVE-2021-32978

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to log in as a currently or previously authenticated user or discover passwords for valid users.

ThroughTek Advisory

This advisory describes a clear-text transmission of sensitive information vulnerability in the ThroughTek P2P Software Development Kit (SDK). The vulnerability was reported by Nozomi Networks. ThroughTek has a new version that, along with certain setting manipulations, mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to permit unauthorized access to sensitive information, such as camera audio/video feeds.

OpenClinic Update

This update provides additional information on an advisory that was  originally published on July 2^nd, 2020 and most recently updated on August 27^th, 2020. The new information includes adding new version that mitigates the vulnerabilities.

NOTE: NCCIC-ICS forgot to refer to the previous update instead of the original version of the advisory in Section 2.

1 Advisory and 1 Update Published – 8-27-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Red Lion and updated a medical device security advisory for products from OpenClinic GA.

Red Lion Advisory

This advisory describes five vulnerabilities in the Red Lion N-Tron 702W series products. The vulnerabilities were reported by Thomas Weber from SEC Consult Vulnerability Lab. These products went out of support in 2018 and cannot be updated.

The five reported vulnerabilities are:

• Cross-site scripting - CVE-2020-16210 and CVE-2020-16206,

• Cross-site request forgery - CVE-2020-16208,

• Backdoor - CVE-2020-16204, and

• Use of unmaintained third-party components - CVE-2017-16544

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain unauthorized access to sensitive information, execute system commands, and perform actions in the context of an attacked user.

NOTE: There are multiple proof-of-concept exploits available for the last vulnerability, actually multiple vulnerabilities. Some of those exploits of the BusyBox vulnerabilities can be found here, here and here.

OpenClinic Update

This update provides additional information on an advisory that was originally published on July 2^nd, 2020. The new information includes three CVE numbers for vulnerabilities covered under the single listed ‘use of unmaintained third-party components vulnerability’; those CVE’s are

• CVE-2014-0114 (Apache Struts, improper input validation, multiple exploits)

• CVE-2016-1181 (Apache Struts, insufficient information, multiple exploits), and

• CVE-2016-1182 (Apache Struts, improper input validation, multiple expoits)

3 Advisories and 1 Update Published – 7-2-20

Today the CISA NCCIC-ICS published two control system security advisories for products from ABB and Nortek and a medical device security advisory for products from OpenClinic. They also updated an advisory for products from Johnson Controls.

ABB Advisory

This advisory describes a cross-site scripting vulnerability in the ABB System 800xA Information Manager. The vulnerability was reported by William Knowles of Applied Risk. ABB has versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to inject and execute arbitrary code on the information manager server.

NOTE 1: An interesting process safety note can be found in the ABB Advisory:

“Under certain conditions exploits of this vulnerability may affect the integrity of safety functions in System 800xA. This is however prevented if the Access Enable key in the AC800MHI is turned Off (“disabled”) and Access Level for the variables in the safety applications are configured to ‘Read Only’ or ‘Confirm and Access Enable’”

NOTE 2: I briefly discussed this vulnerability back in April.

Nortek Advisory

This advisory describes five vulnerabilities in the Nortek Linear eMerge 50P/5000P. The vulnerabilities were reported by Gjoko of Applied Risk. Nortek has a new version that mitigates the vulnerabilities. There is no indication that Gjoko has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Path traversal - CVE-2019-7267,

• Command injection - CVE-2019-7269,

• Unrestricted upload of file with dangerous type - CVE-2019-7268,

• Cross-site request forgery - CVE-2019-7270, and

• Improper authentication - CVE-2019-7266

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain full system access.

NOTE 1: The Applied Risk advisory also describes a default credentials vulnerability (CVE-2019-7271) in this product.

NOTE 2: There is at least one publicly available exploit for vulnerabilities described in this advisory.

OpenClinic Advisory

This advisory describes 12 vulnerabilities in the OpenClinic GA, an open-source integrated hospital information management system. The vulnerabilities were reported by Brian D. Hysell. NCCIC-ICS has not received any confirmation of mitigation measures from OpenClinic GA.

The twelve reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2020-14485,

• Improper restriction of excessive authentication attempts - CVE-2020-14484,

• Improper authentication - CVE-2020-14494,

• Missing authorization - CVE-2020-14491,

• Execution with unnecessary privileges - CVE-2020-14493,

• Unrestricted upload of file with dangerous type - CVE-2020-14488,

• Path traversal - CVE-2020-14490,

• Improper authorization - CVE-2020-14486,

• Cross-site scripting - CVE-2020-14492,

• Use of unmaintained third-party components - CVE-2020-14495,

• Insufficiently protected credentials - CVE-2020-14489, and

• Hidden functionality - CVE-2020-14487

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code to remotely exploit these vulnerabilities to allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.

Johnson Controls Update

This update provides additional information on an advisory that was originally published on June 18^th, 2020. The new information includes corrected version information and mitigation measures.

NCCIC-ICS Update Listings

NCCIC-ICS did not list this latest update on either the ‘Industrial Control Systems’ or the ‘ICS-Archive’ pages. Since this has happened on two consecutive disclosure days, it would appear that this is a change in policy. Since they are still (for the time being at least) reporting this updates on their emails and TWEETS®. You can signup for their email alerts at the bottom of the landing page and/or follow their TWEETS @ICS-CERT.