Public ICS Disclosures – Week of 3-6-21

This week we have seven disclosures from Aruba Networks (2), Boston Scientific, PEPPERL+FUCHS, Siemens, and Schneider (2). We have vendor updates for products from Siemens (2) and Schneider (2). There is a researcher report for products from Fatek Automation. Finally, there was an exploit published for products from VMware.

Aruba Advisories

Aruba published an advisory discussing the SAD DNS vulnerability in their Instant Access Points products. Aruba has new versions that mitigate the vulnerability.

 

Aruba published an advisory describing nineteen vulnerabilities in their Instant Access Points products. Aruba has new versions that mitigate the vulnerabilities.

The 19 reported vulnerabilities are:

• Buffer overflow (3) - CVE-2019-5319, CVE-2021-25144, and CVE-2021-25149,

• Authenticated arbitrary remote command injection - CVE-2021-25150,

• Authenticated arbitrary file write - CVE-2021-25148,

• Unauthenticated command injection via DHCP options - CVE-2020-24636,

• Unauthenticated denial of service via PAPI protocol -CVE-2021-25143,

• Unauthenticated command injection via Web UI - CVE-2021-25162,

• Authenticated arbitrary file write via Web UI (2) - CVE-2021-25155, and CVE-2021-25159,

• Authenticated remote command execution (2) - CVE-2020-24635, and CVE-2021-25146,

• Authentication bypass - CVE-2019-5317 (Jenkins third-party),

• Authenticated reflected cross-site scripting - CVE-2021-25161,

• Unauthenticated arbitrary file read via race condition - CVE-2021-25158,

• Authenticated arbitrary directory create via Web UI - CVE-2021-25156,

• Authenticated arbitrary file read via Web UI - CVE-2021-25157,

• Authenticated arbitrary file write via Web UI to specific backup site - CVE-2021-25160, and

• Remote unauthorized disclosure of information - CVE-2021-25145,

Boston Scientific

Boston Scientific published an advisory discussing the Microsoft TCP/IP vulnerabilities. They report that they are looking into the impact on their products “that use the affected Microsoft Window 7 and higher operating systems”.

PEPPRERL+FUCHS Advisory

CERT-VDE published an advisory describing three vulnerabilities in the PEPPERL+FUCHS P+F RocketLinx products. The vulnerabilities were reported by T. Weber of SEC Consult Vulnerability Lab.  PEPPERL+FUCHS has new firmware versions that mitigate the vulnerabilities. There is no indication that Weber was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site request forgery - CVE-2020-12502,

• Improper input validation - CVE-2020-12503, and

• Hidden functionality - CVE-2020-12504

Siemens Advisory

Siemens published an advisory describing an improper access control vulnerability in their Mendix Forgot Password Appstore module. Siemens has a new version that mitigates the vulnerability.

Schneider Advisories

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their PowerLogic power meters. The vulnerability was reported by Tal Keren and Rei Henigman of Claroty. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their PowerLogic power meters. The vulnerability was reported by Tal Keren and Rei Henigman of Claroty. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: The Claroty report explains the reason for the separate reports for these very similar vulnerabilities. They note that the different product sets are affected differently resulting in very different CVSS v3.0 Base Scores.

Siemens Updates

Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on February 9^th, 2021. The new information includes adding the following CVEs:

• CVE-2020-8625,

• CVE-2021-3347,

• CVE-2021-20193,

• CVE-2021-23839,

• CVE2021-23840,

• CVE-2021-23841, and

• CVE-2021-27212

 

Siemens published an update for their CodeMeter advisory that was originally published in 2018 and most recently updated on February 9^th, 2021. The new information includes updating mitigation measures for:

• SINEC INS, and

• SINEMA Remote Connect

Schneider Updates

Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on January 12^th, 2021. The new information includes:

• Adding mitigation measures for EcoStruxure Building SmartX IP MP Controllers, and

• Updating affected version information for EcoStruxure Building SmartX IP RP Controllers

 

Schneider published an update for their PLC Simulator advisory that was originally reported on November 11^th, 2020. The new information includes announcing the development of a remediation plan for CVE2020-7559.

NOTE: NCCIC-ICS may not update ICSA-20-315-03 for this announcement.

Fatek Report

The Zero Day Initiative published a report of a 0-day improper validation of user supplied data vulnerability in the Fatek PLC WinProladder. According to the report, NCCIC-ICS was supposed to issue an advisory on this last Thursday. I would expect to see it published this coming week.

VMware Exploit

Mikhail Klyuchnikov published a Metasploit module for an improper privilege management vulnerability in the VMware vCenter Server. VMware reported the vulnerability on February 23^rd, 2021 with new versions to mitigate.

Public ICS Disclosures – Week of 2-6-21 – Part 1

This week we have four vendor disclosures from B&R Automation, Dell, GE Healthcare, and Rockwell. There is also an update from Rockwell.

B&R Advisory

B&R published an advisory discussing the CodeMeter vulnerabilities. B&R provides a list of affected products and links to updated versions that mitigate the vulnerabilities.

Dell Advisory

Dell published an advisory describing three vulnerabilities in their AOS SD-WAN. These are third-party vulnerabilities (ArubaOS). Dell has new versions that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Multiple buffer overflows - CVE-2020-24633,

• Unauthenticated remote command injection - CVE-2020-24634, and

• Secureboot bypass - CVE-2020-10713

GE Healthcare Advisory

GE published an advisory describing a buffer overflow vulnerability in unnamed products. This is a third-party (SUDO) vulnerability. GE provides no mitigation measures on their public facing portal. There is a publicly available exploit for this vulnerability.

Rockwell Advisory

Rockwell published an advisory describing an IPv4 denial-of-service vulnerability in their Allen-Bradley MicroLogix 1100 Programmable Logic Controller. This vulnerability was reported by Talos. Rockwell has a firmware update that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Rockwell Update

Rockwell published an update for their Ripple20 advisory. The new information includes adding the four new vulnerabilities reported by Treck on December 20^th, 2020.

Part 2

I will address the Siemens and Schneider advisories and updates from this week that were not covered by NCCIC-ICS is Part 2 of this post.

Public ICS Disclosures – Week of 10-17-20

We have one new vendor disclosure this week for products from HMS. We also have three vendor updates for products from Rockwell and Schneider (2). We also have news of a possible cyberattack on Softing, a control system vendor.

HMS Advisory

HMS published an advisory discussing the BLURtooth vulnerability. HMS reports that none of their products are affected by this vulnerability.

NOTE: The BLURtooth vulnerability is a currently unpatched vulnerability in some implementations of the Bluetooth standard that allows attacker-in-the-middle exploits. I expect that we will be seeing more vendor communications about this vulnerability in the coming weeks, especially from medical device manufacturers where the use of Bluetooth is more common.

Rockwell Update

Rockwell published an update for their advisory on OSIsoft PI System vulnerabilities that was originally published on May 12^th, 2020. The new information includes new version information for vulnerability mitigation.

Schneider Updates

Schneider published an update for their Ripple20  advisory. The new information includes:

• Adding remediation for “EGX150/Link150 Ethernet Gateway”, “Acti9 PowerTag Link / HD”, “Acti9 Smartlink SI D”, and “Acti9 Smartlink SI B”, and

• Adding PowerLogic EGX100 to affected products list.

Schneider published an update for their APC by Schneider Electric Network Management Cards advisory that was originally published on June 23^rd, 2020 and most recently updated on September 1^st, 2020. The new information includes updated overview section, available remediations and affected products tables (some affected products were moved from the above advisory to this one).

Vendor News

When I checked the Softing advisory web page today an interesting popup appeared. It said:

“IMPORTANT NOTE:

“Softing AG fell victim to targeted cyber attacks through no fault of its own. Unknown perpetrators have invaded the internal networks. In order to avoid possible damage to the IT infrastructure, we have severely restricted the external communication options.

“For urgent inquiries we are still available to our customers under the following contact details:

“Softing Industrial Automation: +49 15119489547”

A brief Google® search reveals no news items about this attack.

As always with an attack on a control system vendor we have to be concerned about the potential product security problems that could arise from the compromise of the system. Access to product source code could allow for easier vulnerability detection by the attacker or even possible modification of that source code to insert vulnerabilities. Access to vendor web site code could allow for the establishment of drive-by code. None of the above is a given, but it does provide an area for potential concern, particularly if the company is not completely forthcoming about the extent of the attack. Hopefully we are just be early in the news cycle on this attack and more information will become publicly available in the coming days.

Public ICS Disclosures – Week of 10-10-20 – Part 1

This week we have seven vendor disclosures from Eaton, HMS, Bender, Sprecher, Bosch, Rockwell, and Carestream. There are also three vendor updates from ABB and Eaton (2). We also have an exploit that was published for products from BACnet Interoperability Test Services, Inc.

Eaton Advisory

Eaton published an advisory for the CodeMeter vulnerabilities in their Xsoft-CODESYS programming software.

NOTE: This is the first CodeMeter advisory that is specifically tied to the 4th party CODESYS implmenetation of the Wibu-Systems code that I have seen.

HMS Advisory

HMS published an advisory for the Ripple20 [corrected link, 10-18-20 0846 EDT] vulnerabilities, reporting that none of their products are affected.

NOTE: The advisory indicates that HMS employed a third-party research firm to help them assess the potential exposure to these vulnerabilities.

Bender Advisory

Bender published an advisory describing an improper authentication vulnerability in their COMTRAXX products. The vulnerability was reported by Maxim Rupp. Bender has a new software version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

Sprecher Advisory

Sprecher published an advisory describing an input validation vulnerability in their SPRECON-E engineering tools. The vulnerability was reported by Gregor Bonney of CyberRange-e at Innogy. Sprecher has a firmware update that mitigates the vulnerability. There is no indication that Bonney has been provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing the Microsoft® remote desktop services vulnerability in their Rexroth industrial PCs.

Rockwell Advisory

Rockwell published an advisory describing five buffer overflow vulnerabilities in their 1794-AENT Flex I/O products. The vulnerabilities were reported (here, here and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds to mitigate these vulnerabilities.

NOTE: The Cisco Talos reports provide proof-of-concept code for the vulnerabilities.

Carestream Advisory

Carestream published an advisory [.PDF download link] describing the Microsoft Bad Neighbor vulnerability. Carestream is looking into the potential effects of this vulnerability on their products.

ABB Update

ABB published an update of their CodeMeter advisory for their Automation Builder products that was originally published on September 17^th, 2020. ABB reports that CVE-2020-14517 has not been closed in the latest version of the Wibu-Systems CodeMeter (v.7.10a). That version has been integrated into the latest version of Automation Builder.

Eaton Updates

Eaton published an update for their Ripple20 [Corrected link, 10-18-20, 0851 EDT] advisory that was originally published on June 23^rd, 2020 and most recently updated on July 24^th, 2020. The new information includes updated mitigation information for Form 4D.

Eaton published an update for their Triangle MicroWorks DNP3 Outstation Libraries vulnerability advisory that was originally published on April 22^nd, 2020 and most recently updated on August 6^th, 2020. Eaton has updated their affected product list and mitigation measures.

NOTE: The NCCIC-ICS advisory was never updated to provide links to vendors reporting these library vulnerabilities in their products.

BACnet Exploit

Zero Science Lab published an exploit for a remote denial of service vulnerability in the BACnet Test Server from BACnet Interoperability Test Services, Inc. There is no report of a coordinated disclosure or CVE # for this vulnerability so it looks like it may be a 0-day exploit.

More to Come

Part II of this post will include Schneider and Siemens advisories and updates.

Public ICS Disclosures – Week of 9-19-20

This week we have two vendor disclosures about the CodeMeter vulnerabilities from Bosch and 3S. There are four vendor disclosures for products from Mitsubishi (2), Yokogawa, and Eaton. We also have two researcher reports for vulnerabilities in products from Siemens and Aveva.

CodeMeter Advisories

Bosch published an advisory describing the CodeMeter vulnerabilities in their Rexroth Products. Bosch recommends updating the CodeMeter software. One Bosch update is available to mitigate the vulnerabilities.

3S published an advisory [.PDF download link] describing the CodeMeter vulnerabilities in a number of their products. 3S has new versions of CODESYS V3 that mitigates the vulnerability.

NOTE: This advisory would seem to indicate that the universe of vulnerable products is much larger than previously thought. Vendors using CODESYS products would not have known to check for the CodeMeter vulnerability in their systems.

Mitsubishi Advisories

Mitsubishi published an advisory describing a TCP/IP stack session management vulnerability in a number of their products. The vulnerabilities were reported by Ta-Lun Yen of Trend Micro via the Zero Day Initiative. Mitsubishi has new versions that mitigate the vulnerability in many of the affected products. There is no indication that Ta-Lun has been provided an opportunity to verify the efficacy of the fix.

Mitsubishi published an advisory describing the Ripple20 vulnerabilities in the WiFi interface for a number of their products. Mitsubishi provides generic workarounds for the vulnerabilities.

NOTE: There is no overlap in the product lists for the two advisories which would indicate that two different TCP/IP stacks are being used.

Yokogawa Advisory

Yokogawa published an advisory describing a classic buffer overflow vulnerability in their  FA-M3 Programming Tool. The vulnerability has been reported by Parity Dynamics. Yokogawa has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory

Eaton published an advisory describing an uncontrolled search path element vulnerability in their 9000x programing and configuration software. The vulnerability was reported by Yongjun liu. Eaton has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.

Siemens Report

Otorio published a blog post describing two vulnerabilities in the Siemens PCS 7 products. According to the post Siemens will provide instruction to avoid the vulnerabilities in the “next update of SIMATIC PCS 7 Compendium Part F”.

The two reported vulnerabilities are:

• A WinCC configuration flaw, and

• A PCS 7 configuration flaw.

NOTE: I cannot find a Siemens advisory that addresses similarly described vulnerabilities, but without a CVE number I cannot really be sure that Siemens has not addressed them.

Aveva Report

Talos published a report describing three vulnerabilities in the Aveva Enterprise Data Management Web data management platform. These vulnerabilities were previously disclosed by Aveva. The Talos report includes proof-of-concept code.

Public ICS Disclosures – Week of 9-12-20

 This week we have four disclosures for CodeMeter vulnerabilities for products from ABB and Rockwell. There are also three vendor disclosures for products from MB Connect Line, Hi-Silicon, and B&R. There are 21 researcher reports for vulnerabilities in products from Fuji Electric (20) and Sierra Wireless.

CodeMeter Advisories

ABB published an advisory for the CodeMeter vulnerabilities in their Automation Builder product. ABB provides generic workarounds while it continues to investigate the vulnerabilities.

ABB published an update for their CodeMeter advisory for ABB Products. The new information includes providing a link to the advisory described above.

ABB published an update for their CodeMeter advisory for ABB Drives applications. The new information includes changing the recommended version of CodeMeter for Windows application to version 7.10a.

Rockwell published an update for their CodeMeter advisory for FactoryTalk Activation Manager. The new information includes:

• Updated mitigation information, and

• Updated CodeMeter version information

MB Advisory

CERT-VDE published an advisory describing four vulnerabilities in the mymbCONNECT24 and mbCONNECT24 products. The vulnerabilities were reported by Otorio. MB has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Blind SQL injection - CVE-2020-24569 and CVE-2020-24568,

• SSRF/CSRF - CVE-2020-24570, and

• Unauthenticated RCE – no CVE assigned

HI-Silicon Advisory

Incibe-cert published an advisory describing five vulnerabilities in the IPTV / H.264 / H.265 video encoders based on HiSilicon Hi3520d hardware. The vulnerabilities were reported by Alexei Kojenov; the report contains proof-of-concept code. Affected manufacturers include:

• URayTech;

• J-Tech Digital;

• VeCASTER PRO from Pro Video Instruments.

The five reported vulnerabilities include:

• Backdoor password - CVE-2020-24215 and CVE-2020-24218,

• Path transversal - CVE-2020-24219,

• Unauthenticated file uploads - CVE-2020-24217,

• Buffer overflow - CVE-2020-24214, and

• Unauthorized access to video streaming through RTSP - CVE-2020-24216

B&R Advisory

B&R published an advisory for the Ripple20 vulnerabilities in their products. They report that none of their products are affected by these vulnerabilities.

Fuji Electric Reports

Kimiya published 20 reports (ZDI-20-1184 thru ZDI-20-1204) of vulnerabilities in the Fuji Electric Tellus Lite product. The vulnerabilities were reported to ‘ICS-CERT’ (presumably, NCCIC-ICS) by the Zero Day Initiative back in April. These are apparently separate vulnerabilities from the 14 that were reported last week. The reported vulnerabilities include:

• Stack-based buffer overflow,

• Out-of-bounds write, and

• Out-of-bounds read

Sierra Wireless Report

Ruben Santamarta published a blog post describing two vulnerabilities in Sierra Wireless Air Link Products. Sierra Wireless has published an advisory [.PDF download link] for these vulnerabilities. The blog post includes proof-of-concept code.

The two reported vulnerabilities are:

• Privilege escalation - CVE-2020-8781, and

• Remote code execution - CVE-2020-8782

Public ICS Disclosures – Week of 8-29-20

This week we have two new vendor disclosures for products from SICK and BD. There were also three Ripple20 [Corrected link, 10-18-20, 0857] updates published for products from HMS, Braun and Schneider. We also have a vendor update from Yokogawa. There is also one researcher report with exploits for vulnerabilities for products from Red Lion.

SICK Advisory

SICK published an advisory describing an improper handling of exceptional conditions vulnerability in their SOPAS Engineering Tool. The vulnerability was reported by Ruben Santamarta of IOActive. SICK has released new firmware versions that mitigate the vulnerability. There is no indication that Santamarta has been provided an opportunity to verify the efficacy of the fix.

BD Advisory

BD published an advisory describing three third-party (VMware) vulnerabilities in selected BD products. BD is currently testing the VMware update.

The three reported vulnerabilities are:

• Local privilege escalation - CVE-2020-3957,

• Denial of service - CVE-2020-3958, and

• Memory leak - CVE-2020-3959

Ripple20 Updates

HMS published an update of their Ripple20 advisory that was originally published on June 23, 2020. The new information includes adding the following products to the not affected list:

• Anybus M-Bus to Modbus TCP gateway,

• Anybus WLAN Access Points (AWB4xxx), and

• Ewon Netbiter 100, 200 and 300-series

Braun published an update of their Ripple20 advisory that was originally published on June 30^th, 2020. The updated information includes more details on the Ripple20 effect on the Outlook 400ES infusion pump.

Schneider published an update of their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on August 6^th, 2020. The new information includes:

• Adding mitigation measures for Cooling Products using NMC2, and

• Adding partial remediations for TM3BC bus coupler module – EIP, TM3BC bus coupler module – SL, and TM3BC bus coupler module – CANOpen

Yokogawa Update

Yokogawa published an update for their CAMS for HIS advisory that was originally published on July 31^st, 2020. The new information includes updated affected product data.

Red Lion Report

SEC Consult published a report on multiple vulnerabilities in the Red Lion N-Tron products that were reported last week by CISA NCCIC-ICS. The SEC Consult report includes proof-of-concept exploit code and a list of outdated third-party components.

Public ICS Disclosures – Week of 8-29-20

This week we have a Ripple20 vendor update from Carestream.

Carestream Update

Carestream published an update of their Ripple20 advisory that was originally published on June 16^th, 2020 and most recently updated on July 16^th, 2020. The updated information includes the note that, after careful review, no Carestream products are affected.

1 Advisory and 1 Update Published – 8-20-20

Today the CISA NCCIC-ICS published one medical device cybersecurity advisory for products from Philips and updated one control system security advisory for products from Treck.

Philips Advisory

This advisory describes three vulnerabilities in the Philips SureSigns VS4 patient monitor. The vulnerabilities were reported by Cleveland Clinic. Philips has provided generic mitigations for these vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper input validation - CVE-2020-16237,

• Improper access control - CVE-2020-16241, and

• Improper authentication - CVE-2020-16239

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker access to administrative controls and system configurations, which could allow changes to system configuration items causing patient data to be sent to a remote destination.. The Philips advisory notes that: “This potential vulnerability does not impact patient safety.”

Treck Update

This update provides additional information on the Ripple20 advisory that was originally published on June 16^th, 2020 and most recently updated on July 21^st, 2020. The new information includes a link to a vendor advisory from Johnson Controls for their Sur-Gard System 5 receivers.

NOTE: NCCIC-ICS still has not reported the Siemens Ripple20 advisory that I discussed on July 18^th, 2020

Public ICS Disclosure – Week of 8-1-20

This week we have one new SigRed vendor disclosure from Draeger and one Ripple20 vendor update from Schneider.

Draeger Advisory

Draeger published a SigRed advisory announcing that none of their medical devices were affected by those vulnerabilities.

Schneider Update

Schneider published a Ripple20 advisory update for an advisory that was originally published on June 23, 2020 and most recently updated on July 29^th, 2020. The new information includes:

• Updated remediation for Uninterruptible Power Supply (UPS) using NMC2, and

• Corrected affected version and enhanced Remediation/Mitigation version details for Uninterruptible Power Supply (UPS) using NMC2

1 Update Published – 7-21-20

Today the CISA NCCIC-ICS published an update for a control system security advisory for products from Treck.

Treck Update

This update provides additional information on an advisory that was originally published on June 16^th, 2020 and most recently updated on July 14^th, 2020. The new information includes a link to the ABB advisory for the Ripple20 vulnerabilities.

NOTE: NCCIC-ICS has still not included a link to the Siemens advisory for their SPPA-T3000 Solutions distributed control system that I mentioned last Saturday.

Public ICS Disclosures – Week of 7-11-20

This week we have four Ripple20 vendor disclosures from Siemens, ABB, Rockwell, Carestream and Schneider Electric; two SigRed vendor disclosures from Philips and GE Healthcare; and three other vendor disclosures from HMS and Schneider (2). Four vendor updates from Schneider (2) and Siemens (2) and  two researcher disclosures for products from Siemens and Advantech round out the weeks’ offerings.

Ripple20 Disclosures and Updates

Siemens published a Ripple20 advisory for their SPPA-T3000 Solutions distributed control system. Siemens provides generic mitigation measures for these vulnerabilities.

NOTE: Siemens published a note at the top of their Security Publications page noting that:

“No Siemens product is known to use Treck Inc.'s TCP/IP stack, or otherwise be affected by the reported vulnerabilities.

“Note that Siemens products and systems might interact with products from other manufacturers which are affected by the reported vulnerabilities. In such cases Siemens recommends that owners of operational infrastructures verify if these products are affected and evaluate the potential impact of the Ripple20 vulnerabilities.”

Since the SPPA-T3000 advisory also contains two Intel Server Platform Services vulnerabilities, I suspect that the Ripple20 vulnerabilities come with the Intel server upon which the T-3000 is built.

ABB published a Ripple20 advisory. The advisory contains a list of affected products and generic mitigation measures pending further work to address the vulnerabilities.

Rockwell updated their Ripple20 advisory. The new information includes an updated table of affected products.

Carestream updated their Ripple20 advisory (.PDF download link). The new information includes adding 20 products that were on the ‘still evaluating list’ to the not affected list. The list of affected products has not changed.

Schneider updated their Ripple20 advisory. The new information includes removing the “Smartlink ELEC” from the list of affected products.

SigRed Disclosures

SigRed is the ‘cute’ name given to the Microsoft ‘wormable’ remote code execution DNS vulnerability (CVE-2020-1350).

Phillips published a SigRed advisory noting that: “Philips is currently in the process of evaluating the Microsoft patch and vendor recommended mitigation options.”

GE Healthcare published a SigRed advisory noting that: “GE Healthcare is actively assessing products that utilize impacted Microsoft Operating Systems.”

Neither of these advisories provide much in the way of information beyond noting that a vague ‘some’ of their products may be affected.

Vendor Disclosures

HMS published an advisory describing a remote code execution vulnerability in their eCatcher product. The vulnerability was reported by Claroty. HMS has an update that mitigates the vulnerability. There is no indication that Claroty was provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an open redirect vulnerability in their Schneider Electric Software Update (SESU). The vulnerability was reported by Amir Preminger of Claroty. Schneider has a new version that mitigates the vulnerability. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing two denial of service vulnerabilities in their Floating License

Manager. These are third-party vulnerabilities in the Flexera FlexNet Publisher (reported here and here). Schneider has a new version that mitigates these vulnerabilities.

NOTE: Flexera is also reporting three other vulnerabilities (CVE-2019-8963, CVE-2020-12080, and CVE-2020-12081) that could potentially affect the Schneider Floating License Manager and a variety of other vendor ‘license manager’ products based upon the Flexera product.

Vendor Updates

Schneider updated their ZombieLoad advisory. The new information includes updated mitigation measures for the HMI products.

Schneider updated their BlueKeep advisory. The new information includes updated mitigation measures for the HMI products.

Siemens updated their Vulnerabilities in Intel CPUs advisory. The new information includes:

• Updated mitigation and affected version information for SIMATIC ITP1000, and

• Removed SIMATIC IPC827E from list of affected devices

Siemens updated heir GNU/Linux advisory. The new information includes adding:

CVE-2020-12114,

• CVE-2020-12659,

• CVE-2020-13630,

• CVE-2020-13631, and

• CVE-2020-13632

Researcher Disclosures

Talos published a report on the Siemens LOGO web server vulnerability that was reported earlier this week. The Talos report includes proof-of-concept code for the vulnerability.

The Zero Day Initiative published 43 reports, all based upon research by rgod, about the Advantech iView vulnerabilities that were reported earlier this week. Most of the reports provided more details on the three CVE’s listed in the NCCIC-ICS advisory. One of the reports, however, described an input validation vulnerability that was not reported by NCCIC-ICS.

Public ICS Disclosures – Week of 7-4-20

This week we have three new Ripple20 advisories and one update. We have two additional vendor disclosures for products from Moxa and GE.

Ripple20 Advisories and Updates

HMS published a Ripple20 advisory which provides a list of HMS products which are not affected by the vulnerabilities.

CERT-VDE published a Ripple20 advisory for the MIELE Communication Module XKM3000 L MED. It provides information on affected equipment and announces that: “A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.”

Draeger published a Ripple20 advisory announcing that Draeger medical devices are not affected.

Braun published a Ripple20 update that lists their Outlook 400ES infusion pump as their only affected product and that they are continuing to review Treck patches for applicability.

Moxa Advisory

Moxa has published an advisory describing two vulnerabilities in their MGate 5105-MB-EIP Series Protocol Gateways. The vulnerabilities were reported by Philippe Lin, Marco Balduzzi, Luca Bongiorni, Ryan Flores, Charles Perine, and Rainer Vosseler via the Zero Day Initiative. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2020-15494, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15493

GE Advisory

GE has published an advisory describing the third-party Ghostcat vulnerability in their APM Connect UDLP 2.8 and earlier products relying upon Apache Tomcat servers. GE provides detailed mitigation measures.

NOTE: As with all third-party vulnerabilities, there is a potential for other ICS vendors to be affected by the same problem.

2 Advisories and 1 Update Published – 7-7-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi and Grundfos. The also updated an advisory for products from Treck. CISA also started a new control system security initiative.

Mitsubishi Advisory

This advisory describes six vulnerabilities in the Mitsubishi GOT2000. These vulnerabilities are in the third-party CoreOS. The vulnerabilities are self-reported. Mitsubishi provided instructions on how to update the CoreOS version.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5595,

• Session fixation - CVE-2020-5596,

• Null pointer dereference - CVE-2020-5597,

• Improper access control - CVE-2020-5598,

• Argument injection - CVE-2020-5599, and

• Resource management errors - CVE-2020-5600

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to cause a denial-of-service condition or remote code execution.

NOTE 1: I briefly discussed these vulnerabilities last Saturday.

NOTE 2: NCCIC-ICS did not provide a link to the Mitsubishi advisory.

Grundfos Advisory

This advisory describes two vulnerabilities in the Grundfos CIM 500 communications module. The vulnerabilities were reported by Marcin Dudek from CERT.PL. Grundfos has a new firmware version that mitigates the vulnerabilities. There is no indication that Dudek has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-10605, and

• Unprotected storage of credentials - CVE-2020-10609

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow access to cleartext credential data.

Treck Update

This update provides new information on the Ripple20 advisory that was originally published on June 16^th, 2020 and most recently updated on June 30^th, 2020. The new information includes links to vendor advisories:

• Opto22 (includes list of affected products, new firmware pending), and

• Smiths Medical (includes list of affected products, update pending),

NOTE: NCCIC-ICS has not yet identified the Moxa advisory that I mentioned Saturday.

Mitsubishi Update

This update provides new information on an advisory that was originally published on June 23^rd, 2020. The new information includes:

• Correcting the CVE number to that originally reported by Mitsubishi, and

• Adding a link for contacting Mitsubishi about the vulnerability.

[Added 9:20 EDT, 7-7-20; Missed email (SIGH)]

ICS Security Initiative 

CISA has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. This 11-page document is a high-level analysis of the current ICS security problem and an aspirational look at how CISA plans on dealing with the problems associated with securing the wide swath of security systems involved in the National Critical Functions (NCF) recently defined by CISA. Probably more on this tomorrow.

Public ICS Disclosures – Week of 6-27-20

This week we have one new Ripple20 advisory and two updates from vendors. There two additional vendor advisories from Mitsubishi and Phoenix Contact and two researcher disclosures for products from Delta Industrial Automation and Rockwell.

Ripple20 Advisories

Moxa has published an advisory for the Ripple20 vulnerabilities reporting that none of their products are affected.

HMS has published an update for their Ripple20 advisory that was originally published on June 23, 2020. The new information is the addition of Ewon Netbiter 300-series to the list of unaffected products.

Schneider has published an update for their Ripple20 advisory that was originally published on June 23, 2020. The new information includes:

• Revised affected product data for Enhanced Andover Continuum, and

• Added Acti9 Smartlink EL B to the affected product list.

Mitsubishi Advisory

Mitsubishi published an advisory describing six vulnerabilities in the TCP/IP stack for their GOT2000 Series HMI. Mitsubishi reports that these vulnerabilities are in the third-party CoreOS. These vulnerabilities are self-reported.  Mitsubishi has updates that mitigate the vulenrabilities.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5595,

• Session fixation - CVE-2020-5596,

• Null pointer dereference - CVE-2020-5597,

• Improper access control - CVE-2020-5598,

• Argument injection - CVE-2020-5599, and

• Resource management errors - CVE-2020-5600

NOTE: I wonder what other control system products are using the affected CoreOS?

Phoenix Contact Advisory

Phoenix Contact has published an advisory describing two vulnerabilities in their Automation Worx Software Suite. The vulnerabilities were reported by Natnael Samson and mdm via the Zero Day Initiative. Phoenix Contact provides generic mitigation measures pending a new version of the affected products.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-12497, and

• Out-of-bounds read - CVE-2020-12498

Delta Industrial Advisories

The Zero Day Initiative published 13 advisories (ZDI-20-787 thru ZDI-20-799) for two different types of vulnerabilities in the Delta Industrial DOPsoft HMI design software. The vulnerabilities were reported by Natnael Samson. These were coordinated disclosures (via NCCIC-ICS) with an expected fix from Delta Industrial in September. ZDI is reporting these as 0-day vulnerabilities.

The two vulnerability types are:

• Out-of-bounds read, and

• Heap-based buffer overflow

Rockwell Report

Applied Risk published a report describing two vulnerabilities in the Rockwell FactoryTalk Services Platform. Rockwell published their advisory on these vulnerabilities on June 25^th, 2020.

Public ICS Disclosures – Week of 06-20-20

This week we have six Ripple20 [Corrected link, 10-18-20, 0856 EDT] advisories from vendors, one of them an update. There were also four vendor updates from Schneider, Rockwell (2) and Yokogawa. There was a researcher report for products from OSIsoft. There were also four exploits published for products from ABUS, SICK, mySCADA and Inductive Automation.

Ripple20 Advisories and Updates

HMS published a Ripple20 advisory that identifies affected products and generic mitigations.

Eaton published a Ripple20 advisory that identifies affected products and generic mitigations.

Boston Scientific published a Ripple20 advisory that admits that some (unidentified) products have the vulnerabilities but “concluded there is no increased security risk for patients who have our implantable products because of the Treck vulnerabilities”.

Schneider published a Ripple20 advisory that identifies affected products and generic mitigations.

Schneider published a Ripple20 advisory specifically for their network management card products.

Schneider updated their Ripple20 advisory that was originally published on June 16^th, 2020. Refers to the first new advisory described above.

Schneider Update

Schneider published an update of their legacy Triconex advisory that was originally published on April 14^th, 2020. The new information includes adding CVE numbers and descriptions and updated affected version and mitigation data.

NOTE: The revised advisory includes an interesting discussion about why Schneider decided that this update was necessary.

Rockwell Updates

Rockwell published an update for their FactoryTalk Linx Path Traversal advisory that was originally published on June 18^th, 2020. The new information includes a revised list of affected products.

Rockwell published an update for FactoryTalk Linx multiple vulnerability advisory that was originally published on June 11^th, 2020. The new information includes a revised list of affected products.

NOTE: The updated information is the same in both updates. See my note on the path traversal advisory in last week’s blog post.

Yokogawa Update

Yokogawa published an update for their unquoted service path advisory that was originally published on September 27^th, 2019and most recently updated November 1^st, 2019. The new information includes adding three new products to the affected product list and providing mitigation links for those products.

OSIsoft Report

Otorio published a report on a cross-site scripting vulnerability in the OSIsoft PI Web API 2019. The vulnerability was disclosed by OSIsoft on June 11^th, 2020. The report includes a poor-quality video demonstrating an exploit of the vulnerability.

ABUS Exploit

Matthias Deeg published an exploit for a missing encryption of sensitive data vulnerability in the ABUS Secvest Wireless Control Device (FUBE50001). This was reportedly coordinated with ABUS.

SICK Exploit

Aliasrobotics published an exploit for a default credentials vulnerability in the SICK safety PLC. There is no indication that this was reported to SICK, so this is probably a 0-day exploit.

mySCADA Exploit

Emre ÖVÜNÇ published an exploit for a hard-coded credentials vulnerability in the mySCADA myPro HMI. There is no indication that this was reported to mySCADA, so this is probably a 0-day exploit.

Inductive Automation Exploit

Pedro Ribeiro and Radek Domanski published a Metasploit module for a a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product. The vulnerability was disclosed by the vendor on June 2^nd, 2020 and the NCCIC-ICS advisory was subsequently updated on June 11^th, 2020.

Public ICS Disclosures – Week of 6-13-20

This week we have eight vendor disclosures (3 for the Ripple20 vulnerabilities) for products from Beckhoff, Moxa, Medtronic, GE Health, Draeger (2), Rockwell, and BD. There is also a researcher report of a zero-day for products from Inductive Automation.

Ripple20 Advisories

Medtronic published a Ripple20 advisory reporting no impact.

GE Healthcare published a Ripple20 advisory reporting no impact but advising that there may be possible impact to third party components used in combination with GE Healthcare products.

Draeger published a Ripple 20 advisory reporting no impact.

NOTE: “No impact” reports are valuable information. I think the GE nuanced ‘no impact’ report is important where the vendor software may be running on a machine that includes other non-vendor produced software (perhaps including OS?).

Beckhoff Advisory

CERT-VDE published an advisory describing an information leak vulnerability in the Beckhoff TwinCAT RT network driver. The vulnerability is self-reported. Beckhoff has patches that mitigate the vulnerability.

Moxa Advisory

Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDR-G902 Series and EDR-G903 Series Secure Routers. The vulnerability was reported by Tal Keren from Claroty. Moxa has new firmware to mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

Draeger Advisory

Draeger published an advisory describing an improper input validation vulnerability in their Perseus A500 product. The vulnerability is self-reported. Draeger has new software that mitigates the vulnerability.

Rockwell Vulnerability

Rockwell published an advisory describing a path traversal advisory in their FactoryTalk Linx software. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference. Rockwell has a patch that mitigates the vulnerability.

NOTE: Rockwell reports that they had previously disclosed this vulnerability in an advisory that was published on June 11^th, 2020. I suppose that the Pwn2Own announcement could have been included as an update to that advisory. This may be why NCCIC-ICS has not picked up this advisory.

BD Advisory

BD published an advisory describing a remote code execution vulnerability in a number of BD products that use the Microsoft Windows 10®. This is a third-party (MS) SMBv3 server vulnerability. BD is currently working to test and validate the Microsoft patch on the affected products.

Inductive Automation Advisory

The Zero Day Initiative published an advisory describing a deserialization of untrusted data information disclosure vulnerability in the Inductive Automation Ignition product. The vulnerability was reported by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference and reported to the vendor. The vendor has not been able to provide an estimated fix date to either ZDI or NCCIC-ICS. This is effectively a zero-day vulnerability.