5 Advisories and 5 Updates Published – 5-27-21

Today CISA’s NCCIC-ICS published five control system security advisories for products from Mitsubishi, Siemens, Mesa Labs, Johnson Controls, and GENIVI Alliance. They also published updates for advisories for products from Mitsubishi (3) and Siemens (2).

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitisubishi MELSEC iQ-R series CPU. The vulnerability was reported by Younes Dragoni of Nozomi Networks. Mitisubishi provides generic workarounds to mitigate the vulenrablity.

NCCIC-ICS reports that a relatively low-skilled attacker can remotely exploit the vulnerability to prevent legitimate clients from connecting to an affected product.

Siemens Advisory

This advisory describes five vulnerabilities in the Siemens JT2Go and Teamcenter Visualization. The vulnerabilities were reported by Michael DePlante, Francis Provencher, and rgod via the Zero Day Initiative and Carsten Eiram from Risk Based Security.

The five reported vulnerabilities are:

• Out-of-bounds read (3) - CVE-2020-26998, CVE-2020-26999, and CVE-2020-27002,

• Stack-based buffer overflow - CVE-2020-27001,

• Untrusted pointer dereference - CVE-2020-26991

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to arbitrary code execution or information leakage.

NOTE: I briefly discussed these vulnerabilities and the two JT2GTo updates below last Saturday.

Mesa Labs Advisory

This advisory describes five vulnerabilities in the Mesa Labs AmegaView continuous monitoring hardware and software platform. The vulnerability was reported by Stephen Yackey of Securifera. There will be no update to mitigate the vulnerabilities because the product is approaching end-of-service (end of the year).

The five reported vulnerabilities are:

• Command injection - CVE-2021-27447 and CVE-2021-27449,

• Improper authentication - CVE-2021-27451,

• Authentication bypass using an alternate path or channel - CVE-2021-27453, and

• Improper privilege management - CVE-2021-27445   

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution or allow access to the device.

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in the Sensormatic Electronics VideoEdge products. This is a third-party (SUDO) vulnerability with multiple published exploits (see here, here, and here for instance). The vulnerability was self-reported.

NCCIC-ICS reported that a relatively low-skilled attacker with local authenticated access could exploit this vulnerability to gain administrative access.

NOTE: This is virtually the same advisory that was published earlier this month for the Sensormatic Tyco AI. Each respective Johnson Control advisory calls the subsidiary ‘American Dynamics’ not Sensormatic.

GENIVI Advisory

This advisory describes a heap-based buffer overflow vulnerability in the GENIVI DLT-Daemon. The vulnerability was reported by Jan Schrewe of Informatik. GENIVI has a new version that mitigates the vulnerability. There is no indication that Schrewe has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to lead to remote code execution or crash the application.

Factory Automation Update #1

This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on January 14^th, 2021. The new information includes providing updated affected version information and mitigation measures for:

• EZSocket, and

• PX Developer

Factory Automation Update #2

This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on January 14^th, 2021. The new information includes providing updated affected version information and mitigation measures for MELSEC iQ-R Series Motion Module.

FA Engineering Update

This update provides additional information on an advisory that was originally published on February 18^th, 2021. The new information includes:

• Adding the following to the list of affected products:

◦ iQ Monozukuri ANDON (Data Transfer), and

◦ iQ Monozukuri Process Remote Monitoring (Data Transfer, and

• Providing updated affected version information and mitigation measures for:

◦ CPU Module Logging Configuration Tool,

◦ CW Configurator,

◦ Data Transfer,

◦ FR Configurator2,

◦ GT Designer3 Version1(GOT1000),

◦ GT Designer3 Version1(GOT2000),

◦ GT SoftGOT1000 Version3,

◦ GT SoftGOT2000 Version1,

◦ GX LogViewer,

◦ PX Developer, and

◦ RT ToolBox3

JT2Go Update #1

This update provides additional information on an advisory that was originally published on January 12^th, 2021 and most recently updated on February 9^th, 2021. The new information includes:

• Moving CVE-2020-26989, CVE-2020-26990, and CVE-2020-28383 to advisory SSA-663999, and

• Moving CVE-2020-26991 to SSA-695540

JT2Go Update #2

This update provides additional information on an advisory that was originally published on February 9^th, 2021. The new information includes:

• Removing vulnerabilities CVE-2020-26991, CVE-2020-26998, CVE-2020-26999, CVE-2020-27001, and CVE-2020-27002, and

• Adding d CVE-2020-28383 and CVE2021-31784.

Public ICS Disclosures – Week of 5-15-21

This week we have seven vendor disclosures from Bosch, CODESYS (2), WAGO, ENDRESS+HAUSER, Siemens, and VMware. We have two vendor updates from Siemens. Finally, we have a researcher report for products from Advantech.

Bosch Advisory

Bosch published an advisory discussing an input validation vulnerability in their IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC application products. This is a third-party (CODESYS) vulnerability. An update for the ctrlX CORE PLC APP is pending. Generic mitigation measures are provided.

CODESYS Advisories

CODESYS published an advisory describing an improper input validation vulnerability in their CODESYS V3 products. The vulnerability was reported by  Alexander Nochvay from Kaspersky Lab ICS CERT. CODESYS has software updates available to mitigate the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory describing a NULL pointer dereference vulnerability in their CODESYS V3 products. The vulnerability was reported by Uri Katz of Claroty. CODESYS has new versions available that mitigate the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

WAGO Advisory

CERT-VDE published an advisory discussing twelve vulnerabilities in the WAGO PLCs. These are third-party (CODESYS) vulnerabilities that were reported by JSC Positive Technologies. WAGO has new firmware versions available that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Allocation of resources without limit or throttling - CVE-2021-21000,

• Path traversal - CVE-2021-21001,

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow (2) - CVE-2021-30188, CVE-2021-30189,

• Improper input validation - CVE-2021-30195,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193,

• Out-of-bounds read - CVE-2021-30194,

• Improper neutralization of special elements used in an OS command - CVE-2021-30187

NOTE: The first two vulnerabilities have apparently not yet been addressed by CODESYS and have been given CERT-VDE CPE numbers.

ENDRESS+HAUSER Advisory

CERT-VDE published an advisory discussing the KRACK attacks vulnerabilities in the ENDRESS+HAUSER Proline portfolio flow meter products. ENDRESS+HAUSER has firmware updates that mitigate the vulnerabilities.

Siemens Advisory

Siemens published an advisory describing five vulnerabilities in their n JT2Go and Teamcenter Visualization products. The vulnerabilities were reported by the Zero Day Initiative and Carsten Eiram from Risk Based Security. Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2020-26991,

• Out-of-bounds read (3) - CVE-2020-26998, CVE-2020-26999, and CVE-2020-27002, and

• Stack-buffer overflow - CVE-2020-27001

NOTE: Apparently, none of the above vulnerabilities are the 0-day vulnerability that ZDI published for this product on April 28th.

VMWare Advisory

VMWare published an advisory describing three out-of-bounds read vulnerabilities in their VMware Workstation and Horizon Client for Windows. This is a third-party (Cortado ThinPrint) vulnerability. The vulnerabilities were published by Anonymous at ZDI and Hou JingYi of Qihoo 360. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Cortado web site make the following claim about ThinPrint, so these vulnerabilities may exist in other ICS products.

“Thanks to numerous OEM partnerships, ThinPrint technology components are integrated in a variety of terminals, print boxes and thin client of leading hardware manufacturers.”

Siemens Updates

Siemens published an update for their JT2Go and Teamcenter Visualization advisory that was originally published on January 12^th, 2021 and most recently updated on February 9^th, 2021. The new information includes:

• Moving vulnerabilities CVE-2020-26989, CVE-2020-26990, and CVE-2020-28383

to advisory SSA-663999 (see below), and

• Moving vulnerabilities d CVE-2020-26991 to SSA-695540 (see new advisory above).

NOTE: NCCIC-ICS should be updating their advisory, ICSA-21-012-03, this coming week.

Siemens published an update for their JT2Go and Teamcenter Visualization advisory that was originally published on February 9^th, 2021. The new information includes:

• Removing vulnerabilities CVE-2020-26991, CVE-2020-26998, CVE-2020-26999, CVE-2020-27001, and CVE-2020-27002, and

• Adding vulnerabilities CVE-2020-28383, CVE2021-31784 (from update above).

NOTE: NCCIC-ICS should be updating their advisory, ICSA-21-040-06, this coming week.

Advantech Report

ZDI published a report describing a use of hard-coded credentials vulnerability in the Advantech BB-ESWGP506-2SFP-T industrial switches. ZDI coordinated the disclosure with NCCIC-ICS.

ICS-CERT Updates Rockwell Advisory with New Vulnerabilities

Today the DHS ICS-CERT published an update for the control system advisor they published back on April 5^th, 2013. The update adds three additional vulnerabilities in the Rockwell Automation FactoryTalk and RSLinx applications. These new vulnerabilities were also discovered by Carsten Eiram of Risk Based Security after the earlier vulnerability updates were made to the Rockwell software. It is not clear why ICS-CERT issued an update instead of publishing a new advisory.

The update adds the following vulnerabilities:

• Out of bounds read, CVE-2013-2805;

• Integer overflow, CVE-2013-2807; and

• Integer overflow, CVE-2013-2806.

NOTE: Links may not work for a couple of days; not shutdown related.

The advisory reports that all three new vulnerabilities can be remotely exploited via Port 4444/UDP to conduct a denial of service attack. Rockwell has produced a new set of patches for these vulnerabilities. There is no indication that Carsten or any other outside agency has validated the efficacy of the most recent patch.

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two advisories for multiple vulnerabilities in Cogent Real-Time Systems and Rockwell FactoryTalk and RSLink systems.

Cogent Advisory

This advisory describes multiple vulnerabilities reported by Dillon Beresford in the Cogent Real-Time Systems DataHub. The vulnerabilities include:

• Improper input validation, CVE-2013-0681;

• Buffer overflow, CVE-2013-0680;

• Invalid pointer, CVE-2013-0683; and

• Improper exception handling, CVE-2013-0682.

ICS-CERT reports that a relatively low skilled attacker could remotely execute denial of service attacks while a more skilled attacker may be able to execute arbitrary code. Actually the invalid pointer only affects DataSim or DataPid demonstration tools and not the Data Hub.

Cogent has provided a number of suggestions for port settings, firewall suggestions and turning off the web server to isolate the reported vulnerabilities. They also suggest upgrading to newer versions of the applications that do not have the reported vulnerabilities. This dual path for mitigations provides owners with options for effecting the most cost effective mitigation measures for their particular operation.

BTW: There is no mention of whether or not Beresford or ICS-CERT has verified that the updated versions of these applications actually eliminate the reported vulnerabilities.

Rockwell Advisory

This advisory describes multiple vulnerabilities in Rockwell Automation’s FactoryTalk Services Platform and RSLinx Enterprise Software reported by Carsten Eiram of Risk Based Security. The vulnerabilities include:

• Integer overflow – negative integer, CVE-2012-4713;

• Integer overflow – over-size integer, CVE-2012-4714;

• Improper exception handling, CVE-2012-4695; and

• Buffer overflow, CVE-2012-4715.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute a DoS attack and perhaps execute code insertion. The advisory notes that Rockwell has produced (and self-validated) patches for newer versions of the software and recommends upgrading from older versions that will not be patched.

This is the classic upgrade/patch response to control system vulnerabilities. Unfortunately it is not always easy or even possible to patch or upgrade software in a control system in a timely manner. This is why the Cogent response is a more user friendly method of vulnerability mitigation