1 Update Published – 5-20-21

Today CISA’s NCCIC-ICS published an update for a control system security advisory for products from multiple RTOS vendors.

 

Multiple RTOS Update

 

This update provides new information for an advisory that was originally published on April 29^th, 2021 and most recently updated on May 6^th, 2021. The new information includes:

• Removing Micrium uCOS II/uCOS III from the list of affected products,

• Adding Micrium uC/OS: uC/LIB to the list of affected products,

• Removed CVE-2021-27407 from the list of vulnerabilities (it has also apparently been removed from the National Vulnerability Database),

• Removing update information for Micrium uCOS II/uCOS III, and

• Adding update information for Micrium uC/LIB

NOTE: The advisory mistakenly refers back to the original version (4-29-21), not the last update. 

2 Updates Published – 5-6-21

Today CISA’s NCCIC-ICS updated two control system security advisories for products from Open Design Alliance and multiple RTOS vendors.

ODA Update

This update provides additional information on an advisory that was originally published on February 16^th, 2021. The new information includes:

• Adding a new out-of-bounds write vulnerability, and

• Adding a new affected product that is only affected by the new vulnerability.

NOTE: I briefly described the new vulnerability last Saturday.

Multiple RTOS Update

This update provides additional information on the BadAlloc advisory that was originally published on April 29^th, 2021. The new information includes adding:

• Four new integer overflow or wraparound vulnerabilities – CVE-2021-27411, CVE-2021-26706, CVE-2021-27407, and CVE-2020-13603,

• Two new affected products - Micrium uC/LIB and Zephyr Project RTOS, and

• Mitigation measures for the new products.

NOTE: I mentioned the possibility that there would be additional RTOS that were affected last Friday.

Reader Comment – Other RTOs Affected?

I had an interesting comment pop up over on LinkedIn about the RTOS advisory I discussed last night. Monty Grindy added:

“Interesting. Didn’t see QNX on that list.”

And he is, of course, correct QNX did not make the list. And, looking at the Wikipedia list of RTOS, there were an awful lot of other RTOS that were not listed. Does this mean that they were not affected? Not sure, but my guess is maybe???

If you read the Microsoft report on BadAlloc you run across some interesting comments. The first that impacts on the above question is:

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations [emphasis added]. These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.”

Thus, any RTOS developers that utilized the same SDKs or libc implementations could have ended up with similar vulnerabilities in their RTOS’s. This is not surprising from looking at the NCCIC-ICS advisory. Each of the 23 vulnerabilities listed use similar naming conventions for the affected operation.

Microsoft also noted that:

“These remote code execution (RCE) vulnerabilities cover more than 25 CVEs [emphasis added] and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.”

NCCIC-ICS only reported on 25 CVE’s (VxWorks and FreeRTOS both received two CVE’s). If we take that ‘more than’ statement seriously, and I do not expect that MS used it lightly, then there may be additional RTOS that MS found vulnerabilities in. If those vendors were able to convince MS and NCCIC-ICS that they were still vigorously working on correcting the problems, then NCCIC-ICS may have held off in their disclosure.

Finally, the Wikipedia entry on ‘Realtime Operating Systems’ lists a lot more than 25 entries into the category. I would be very surprised if Microsoft’s Section 52, the Azure Defender for IoT security research group, had enough time or incentive to try to test all of those RTOSs. They certainly made their point with the research that they did do.

I would also be surprised if they found this type of memory allocation vulnerability in all of the RTOS’s that they tested. Certainly, someone was using a different set of tools and libraries to set up their RTOS. It would have been helpful if Microsoft would have provided a list of systems that they tested that were not vulnerable to this particular type of vulnerability.

One final note. I am sure that now that MS has pointed the way to these common vulnerabilities in 25 different operating systems, that other researchers will be looking for other common cause vulnerabilities. Iot and OT cybersecurity is just going to continue to get more and more interesting.

4 Advisories Published – 4-29-21

Today, CISA’s NCCIC-ICS published control system security advisories for products from multiple RTOS vendors, Johnson Controls, Cassia Networks, and Texas Instruments.

RTOS Advisory

This advisory describes 23 [corrected typo '13' to '23', 4-30-21 0853 EDT] different integer overflow or wraparound vulnerabilities in multiple real-time operating systems (RTOS). The vulnerabilities were discovered by Microsoft’s Section 52, the Azure Defender for IoT security research group and are collectively named BadAlloc. The advisory provides links to updated versions for most of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in unexpected behavior such as a crash or a remote code injection/execution.

NOTE: NCCIC-ICS has updated their remote access – VPN guidance:

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.”

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in Johnson Controls exacqVision Network Video Recorder running on unpatched versions of the Ubuntu operating system. This is a third-party (Sudo) vulnerability and there are exploits reported (here, here, and here for example). Johnson Controls recommends updating the Ubuntu operating systems to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability to  obtain “Super User” access to the underlying Ubuntu Linux operating system.

Cassia Advisory

This advisory describes a path traversal vulnerability for the Cassia Networks Access Controller. The vulnerability was reported by Amir Preminger and Sharon Brizinov of Claroty. Cassia has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read any file from the Access Controller server.

TI Advisory

This advisory describes five vulnerabilities in the Texas Instruments SimpleLink Wi-Fi products. The vulnerabilities were reported by David Atch and Omri Ben Bassat from Microsoft. TI has software versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Integer overflow or wraparound (4) - CVE-2021-22677, CVE-2021-22675, CVE-2021-22679, and CVE-2021-22671, and

• Stack-based buffer overflow - CVE-2021-22673