Today the CISA NCCIC-ICS published four control system
security advisories for products from Schneider Electric, Real Time Automation,
Paradox, and Johnson Controls.
Schneider Advisory
This advisory
describes nine vulnerabilities in the Schneider Interactive Graphical SCADA
System (IGSS). The vulnerabilities were reported by kimiya via the Zero Day Initiative.
Schneider has a new version that mitigates the vulnerabilities. There is no
indication that kimiya has been provided an opportunity to verify the efficacy of
the fix.
The nine reported vulnerabilities are:
• Improper restriction of
operations within the bounds of a memory buffer (4) - CVE-2020-7550, CVE-2020-7551,
CVE-2020-7552, and CVE-2020-7554,
• Out-of-bounds write (4) - CVE-2020-7553,
CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and
• Out-of-bounds read - CVE-2020-7557
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to result in
remote code execution.
NOTE: I briefly
discussed these vulnerabilities last Saturday.
Real Time Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Real Time
Automation (RTA) 499ES EtherNet/IP (ENIP) Adaptor Source Code. The vulnerability
was
reported by Sharon Brizinov of Claroty. According to the Claroty report,
RTA has a version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to cause a denial-of-service
condition, and a buffer overflow may allow remote code execution.
Claroty reports that a number of vendors appear to be using
the vulnerable RTA ENIP stack.
Paradox Advisory
This advisory
describes two vulnerabilities in the Paradox IP150 internet module. The
vulnerabilities were reported by Omri Ben-Bassat of Microsoft. NCCIC-ICS
provides an email address to contact Paradox for mitigation information.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2020-25189
(3 separate overflows under this CVE#), and
• Classic buffer overflow -CVE-2020-25185
(9 separate overflows under this CVE#)
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to remotely
execute arbitrary code, which may result in the termination of the physical
security system.
Johnson Controls Advisory
This advisory
describes an improper authorization vulnerability in the Johnson Controls
(Sensormatic Electronics) American Dynamics victor Web Client, and Software House C•CURE Web Client. The vulnerability
was reported by Joachim Kerschbaumer. Johnson Controls has a new version that
mitigates the vulnerability. There is no indication that Kershcbaumer has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow an unauthenticated attacker on the
network to create and sign their own JSON web token and use it to execute an
HTTP API method without the need for valid authentication/authorization. Under
certain circumstances, this could be used by an attacker to impact system
availability by conducting a denial-of-service attack.
Posts
