Review - 14 Advisories Published – 6-8-21

Today CISA’s NCCIC-ICS published fourteen control system security advisories for products from Siemens (8), Thales, Schneider Electric (2), AVEVA, Open Design Alliance, and Johnson Controls. NCCIC-ICS also published ten updates today, they will be addressed in a separate blog post tomorrow.

Siemens Advisories

• JT2Go Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens JT2Go and Teamcenter Visualization products.

• SIMATIC Advisory #1 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC RF Products.

• Simcenter Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap products.

• SIMATIC Advisory #2 - This advisory describes fifteen vulnerabilities in the Siemens SIMATIC NET CP 443-1 OPC UA product.

• SIMATIC Advisory #3 - This advisory describes two vulnerabilities in the Siemens SIMATIC TIM 1531 IRC.

• Solid Edge Advisory - This advisory describes two out-of-bounds write vulnerability in the Siemens Solid Edge products.

• TIM Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens TIM 1531 IRC.

• Mendix Advisory - This advisory describes an insufficient verification of data authenticity vulnerability in the Siemens Mendix SAML Module.

Thales Advisory

This advisory describes an incomplete cleanup vulnerability in the Thales Sentinel LDK Run-Time Environment (RTE).

Schneider Advisories

Modicon Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider Modicon X80 product

IGSS Advisory - This advisory describes thirteen vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS).

NOTE: Schneider published four additional advisories today. If they are not addressed by NCCIC-ICS on Thursday, I will discuss them in my Public ICS Disclosure post this weekend.

AVEVA Advisory

This advisory describes a clear-text storage of sensitive information in memory vulnerability in the AVEVA InTouch 2020 R2 product.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

ODA Advisory

This advisory describes eight vulnerabilities in the ODA Drawings SDK product.

Johnson Controls Advisory

This advisory describes an improper privilege management vulnerability in the Johnson Controls Metasys Servers, Engines, and Tools.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

For a more detailed discussion of these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-published-6-8-21. Subscription required.

Review Public ICS Disclosures – Week of 5-28-21

This week we have six vendor disclosures from Aveva, Johnson Controls, QNAP (3), Yokogawa. There is one vendor update from Medtronic. There are also six researcher disclosures for products from Aveva (3), Korenix Technology (also affects Westermo and PEPPERL+FUCHS products), Mesa Labs, Bosch (2) and CHIYU. Finally, we have an exploit for products from VMware.

Two of the vendor advisories and the update should be addressed by NCCIC-ICS this coming week.

The Korenix, Mesa Labs, and CHIYU reports contain proof-of-concept exploit code.

The Korenix report also affects products from Westermo and PEPPERL+FUCHS, though the later had previously published an advisory on the vulnerabilities.

For more details on the disclosures see my report at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-b78 (Subscription Required).

3 Advisories Published – 2-23-21

Today CISA’s NCCIC-ICS published three control system security advisory for products from Advantech (2) and Rockwell Automation.

Spectre RT Advisory

This advisory describes nine vulnerabilities in the Advantech Spectre RT Industrial Routers. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin of Rostelecom-Solar and Vlad Komarov of ScadaX. Advantech has a newer version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper neutralization of input during web page generation - CVE-2019-18233,

• Cleartext transmission of sensitive information - CVE-2019-18231,

• Improper restriction of excessive authentication attempts - CVE-2019-18235,

• Use of broken or risky cryptographic algorithm (3) - CVE-2018-20679, CVE-2016-6301, and CVE-2015-9261 {3^rd party vulnerabilities (BusyBox)}, and

• Use of platform-dependent third-party components (3) - CVE-2016-2842, CVE-2016-0799, CVE-2016-6304 {3^rd party vulnerabilities (OpenSSL)}.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow information disclosure, deletion of files, and remote code execution. A number of the NIST CVE reports contain links to publicly available exploits for selected vulnerabilities.

NOTE: I briefly discussed these vulnerabilities back in January.

BB-ESWGP Advisory

This advisory describes a use of hard-coded credentials vulnerability in the Advantech BB-ESWGP506-2SFP-T industrial ethernet switches. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. Advantech no longer supports this product.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access to sensitive information and execute arbitrary code.

Rockwell Advisory

This advisory describes a use of password hash with insufficient computational effort vulnerability in the Rockwell FactoryTalk Services Platform. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console. These new users could allow an attacker to modify or delete configuration and application data in other FactoryTalk software connected to the FactoryTalk Services Platform.

NOTE: I briefly discussed this vulnerability in August of last year.

Public ICS Disclosure – Week of 1-9-21 – Part 1

This week we have six vendor disclosures from Advantech, PEPPERL+FUCHS, WAGO, Philips, RUCKUS, and Rockwell (2). We have five vendor updates from Carestream, Mitsubishi, Rockwell, Siemens, and Software Toolbox.

Advantech Advisory

Advantech published an advisory describing six vulnerabilities in their Spectre RT ERT351 and

B+B SmartWorx ERT351 products. The vulnerabilities were reported by Vlad Komarov of ScadaX, and Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Advantech has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Improper neutralization of input during web page generation - CVE-2019-18233,

• Cleartext transmission of sensitive information - CVE-2019-18231,

• Improper restriction of excessive authentication attempts - CVE-2019-18235 (Linux vuln),

• Insufficiently protected credentials (no CVE number),

• Usage of broken or risky cryptographic algorithm - CVE-2019-18237,

• Use of vulnerable third-party software - CVE-2019-18239 (OpenSSH and OpenSSL)

PEPPERL+FUCHS Advisory

CERT VDE published an advisory describing a deserialization of untrusted data vulnerability in the PEPPERL+FUCHS PACTware product. This is a third-party (fdtCONTAINER component by M&M Software GmbH) vulnerability. The vulnerability was reported by M&M Software. The vulnerability will be corrected in a version to be released in the second quarter.

WAGO Advisory

CERT VDE published an advisory describing a deserialization of untrusted data vulnerability in unnamed WAGO workstations. This is the same third-party (M&M Software) vulnerability described above.

Philips Advisory

Philips published an advisory describing an undescribed vulnerability on products running on their older Haswell workstations. Philips has a patch that mitigates the vulnerability.

RUCKUS Advisory

RUCKUS published an advisory describing two vulnerabilities in the LLDP module of Ruckus Network’s AP products. These are third-party library vulnerabilities originally reported by Florian Weimer (see links below for original reporting). RUCKUS has patches that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Classic buffer overflow - CVE-2015-8011, and

• Reachable assertion - CVE-2015-8012

Rockwell Advisories

Rockwell published an advisory describing a side-channel leakage vulnerability in the NXP 7x Secure Authentication Microcontrollers. This is a third-party (Google Titan Security Key) vulnerability reported by NinjaLab. Rockwell provides generic mitigation measures.

NOTE: This is going to be an interesting one for a variety of vendors.

 

Rockwell published an advisory describing the third-party (M&M Software) fdtCONTAINER vulnerability described above in their FactoryTalk AssetCentre products. Rockwell has a software update that mitigates the vulnerability.

NOTE: Third-party vulnerabilities strike far and wide (SIGH).

Carestream Update

Carestream published an update [.PDF download link] for their Bad Neighbor advisory that was originally published on October 15^th, 2020. The new information includes:

• A list of unaffected products, and

• A list of two affected products (Image Suite and Omni) with mitigation measures.

Mitsubishi Update

Mitsubishi published an update for their MC Works 64 advisory that was originally published on June 18^th, 2020 and most recently updated on December 8^th, 2020. The new information includes adding mitigation measures for MC Works64 Version 2.00A - 2.02C.

NOTE: NCCIC-ICS published an advisory for these vulnerabilities back in June but has not yet updated it for any of the updates that Mitsubishi has published. This is probably due to a failure by Mitsubishi to inform NCCIC-ICS of the updates.

Rockwell Update

Rockwell published an update for their FactoryTalk Linx advisory that was originally published on December 27^th, 2020. The new information includes links to mitigation measures for three of the vulnerabilities.

Siemens Update

Siemens published an out-of-zone update for their SolidEdge advisory that was originally published on January 12^th, 2021. The new information includes additional mitigation information for SolidEdge SE2020.

Software Toolbox Update

Software Toolbox published an update for their TopServer advisory that was originally published on December 9^th, 2020. The new information includes adding the CVE numbers for the included vulnerabilities.

NOTE: This advisory was included in  ICSA-20-352-02. This update will probably not be mentioned by NCCIC-ICS since the link provided in their advisory takes one to this update.

11 Advisories Published – 12-8-20

Today the CISA NCCIC-ICS published 10 control system security advisories for products from Siemens (6), Schneider (2), Mitsubishi, and multiple vendors. They also published a medical device security advisory for products from GE Healthcare.

NOTE: NCCIC-ICS also published 13 updates (according to an email I received from CISA) for previously published advisories. Interestingly the ICS Archive Information Products web page only currently lists 5 updates. In any case, I will address these updates tomorrow.

LOGO! Advisory

This advisory describes eight vulnerabilities in the Siemens LOGO! 8 BM products. The vulnerabilities were reported by Thomas Meesters from cirosec GmbH, as well as Tobias Gebhardt, and Max Bäumler. Siemens has new versions that mitigate the vulnerability. There is no  indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eight reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-25228,

• Use of hard-coded cryptographic key (4) - CVE-2020-25229, CVE-2020-25231, CVE-2020-25233, and CVE-2020-25234,

• Use of a broken or risky cryptographic algorithm (2) - CVE-2020-25230, and CVE-2020-25232, and

• Insufficiently protected credentials - CVE-2020-25235

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker the ability to make configuration and password changes, capture device keys, access confidential information, and gain full control of the device.

SIMATIC Advisory

This advisory describes an uncaught exception vulnerability in the Siemens SIMATIC Controller Web Servers. The vulnerability is self-reported. Siemens has updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition.

TightVNC Advisory

This advisory describes four vulnerabilities in the Siemens SIMATIC products using TightVNC (v1.X), a remote-control software package. TightVNC is an open-source third-party product. The vulnerability was reported by Kaspersky Labs. Siemens has updates for some of the affected products. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow (2) - CVE-2019-15678, and CVE-2019-15679,

• Null pointer dereference - CVE-2019-15680, and

• Classic buffer overflow - CVE-2019-8287

NOTE: The Kaspersky report identifies vulnerabilities in three other implementations of the VNC protocol; LibVNC, TurboVNC and UltraVNC. Other products (other vendors) with remote access capabilities are going to be affected by these issues. This is going to be a fun one.

SICAM Advisory

This advisory describes a protection mechanism failure vulnerability in the Siemens SICAM A8000 Remote Terminal Unit Series. The vulnerability was reported by Sam Hamra from KTH Royal Institute of Technology. Siemens has a version that mitigates the vulnerability. There is no indication that Hamra has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to gain unauthorized read or write access to network traffic to or from the device.

XHQ Advisory

This advisory describes seven vulnerabilities in the Siemens XHQ Operations Intelligence. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The seven reported vulnerabilities are:

• Exposure of sensitive information to an unauthorized actor - CVE-2019-19283,

• Cross-site scripting - CVE-2019-19284, and CVE-2019-19288,

• Basic XSS - CVE-2019-19285,

• SQL injection - CVE-2019-19286,

• Relative path traversal - CVE-2019-19287, and

• Cross-site request forgery - CVE-2019-19289

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read sensitive information, modify web content, and perform cross-site scripting and cross-site request forgery on unsuspecting users.

Embedded TCP/IP Stack Advisory

This advisory describes an integer overflow vulnerability in the Siemens SENTRON PAC3200, SENTRON PAC4200, SIRIUS 3RW5 products. This is the third-party Amensia33 vulnerability. The vulnerability was reported by Daniel dos Santos, Stanislav Dashevskyi, Jos Wetzels, and Amine Amri of Forescout Research Labs. Siemens has upgrades available for some of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to ause a denial-of-service condition.

Modicon Advisory

This advisory describes five vulnerabilities in the Schneider Modicon M221 Programmable Logic Controller. The vulnerabilities were reported by Yehuda Anikster and Rei Henigman of Claroty, and Seok Min Lim and Bryon Kaan of Trustwave. Schneider has provided generic workarounds to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Inadequate encryption strength - CVE-2020-7565,

• Small space of random values - CVE-2020-7566,

• Missing encryption of sensitive data - CVE-2020-7567,

• Exposure of sensitive information - CVE-2020-7568, and

• Use of a one-way hash with a predictable salt - CVE-2020-28214

NCCIC-ICS reports that an uncharacterized attacker on an adjacent network could exploit the vulnerabilities to allow an attacker to take control over the PLC and gain unauthorized access, which could result in exposure of sensitive information.

NOTE 1: I briefly reported on the original Schneider advisory back in November. This NCCIC-ICS advisory is based upon an updated version of that advisory published today that adds the last vulnerability reported above.

NOTE 2: The Trustwave report includes proof-of concept exploit code.

Easergy Advisory

This advisory describes five vulnerabilities in the Schneider Easergy T300. The vulnerabilities were reported by Evgeniy Druzhinin and IIya Karpov of Rostelecom-Solar. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-7561,

• Missing authorization - CVE-2020-28215,

• Missing encryption of sensitive data (2) - CVE-2020-28216, and CVE-2020-28217, and

• Improper restriction of rendered UI layers or frames - CVE-2020-28218

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to obtain unauthorized access to the internal product LAN, which could result in exposure of sensitive information, denial of service, and remote code execution when access to a resource from an attacker is not restricted or incorrectly restricted.

NOTE: I briefly reported on the original Schneider advisory back in November. This NCCIC-ICS advisory is based upon an updated version of that advisory published today that adds the last four vulnerabilities reported above.

NOTE: Schneider also published nine new advisories and three additional updates today. I suspect that I will be addressing these this weekend.

Mitsubishi Advisory

This advisory describes an out-of-bounds read vulnerability in the Mitsubishi GOT and Tension Controller. The vulnerability is self-reported. Mitsubishi is providing generic mitigation measures while it continues to work on a fixed version of the products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause deterioration of communication performance or cause a denial-of-service condition of the TCP communication functions of the products.

NOTE: I briefly reported on this vulnerability last weekend.

Embedded TCP/IP Stacks Advisory

This advisory discusses the Amnesia33 vulnerabilities that were briefly addressed in the Siemens TCP/IP advisory above. This separate advisory lists 33 distinct vulnerabilities (thus the ‘33’ in the title of the Forescout report) found in the different TCP/IP stack implementations. It also provides a list of vendor advisories for products affected by these vulnerabilities:

• Devolo

• EMU Electronic AG

• FEIG

• Genetec

• Harting

• Hensoldt

• Microchip

• Nanotec

• NT-Ware

• Tagmaster

• Siemens

• Uniflow

• Yanzi Networks

It is interesting that NCCIC-ICS published a separate advisory for the Siemens version of the vulnerability.

GE Advisory

This advisory describes two vulnerabilities in the GE Imaging and Ultrasound Products. The vulnerabilities were reported by Lior Bar Yosef and Elad Luz of CyberMDX. GE has publicly provided generic workarounds to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Unprotected transport of credentials - CVE-2020-25175, and

• Exposure of sensitive system information to an unauthorized control sphere - CVE-2020-25179

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges. A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.

Public ICS Disclosures – Week of 11-07-20

This week we have eight vendor disclosures for products from Schneider (7) and Thales Group. We also have nine updates for advisories for products from Schneider (5), Siemens (2), Carestream and Rockwell.

Schneider Advisories

Schneider published an advisory describing three vulnerabilities in the web servers of their Modicon M340, Modicon Quantum and Modicon Premium Legacy products. The vulnerabilities were reported (here and here) by Kai Wang of Fortinet's FortiGuard Labs. Schneider is working on mitigation measures for those affected products that are not end-of-life.

The three reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-7562,

• Out-of-bounds write - CVE-2020-7563, and

• Classic buffer overflow - CVE-2020-7564

 

Schneider published an advisory describing an improper privilege management vulnerability in their EcoStruxure™ Operator Terminal Expert runtime (Vijeo XD). The vulnerability was reported by Lasse Trolle Borup of Danish Cyber Defence. Schneider has a service pack that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing nine vulnerabilities in their Interactive Graphical SCADA System (IGSS) product. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer (4) – CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, and CVE-2020-7554,

• Out-of-bounds write (4) - CVE-2020-7553, CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and

• Out-of-bounds read - CVE-2020-7557

 

Schneider published an advisory describing seven vulnerabilities in their EcoStruxure Building Operation (EBO) product offerings. The vulnerabilities were reported by Luis Vázquez, Francisco Palma, and Diego León of Zerolynx, and Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli of TIM Security Red Team Research. Schneider has a version that mitigates the vulenrabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-7569,

• Cross-site scripting stored - CVE-2020-7570,

• Cross-site scripting reflected - CVE-2020-7571,

• Improper restriction of XML external entity reference - CVE-2020-7572,

• Improper access control - CVE-2020-7573,

• Windows unquoted search path - CVE-2020-28209, and

• Cross-site scripting - CVE-2020-28210

 

Schneider published an advisory describing four vulnerabilities in their Modicon M221 product. The vulnerabilities were reported by Yehuda Anikster and Rei Henigman of Claroty, and Seok Min Lim and Bryon Kaan of Trustwave (here). Schneider provides generic work arounds to mitigate the vulnerabilities.

The four reported vulnerabilities are:

• Inadequate encryption strength - CVE-2020-7565,

• Small space of random values - CVE-2020-7566,

• Missing encryption of sensitive data - CVE-2020-7567, and

• Exposure of sensitive data to an unauthorized actor - CVE-2020-7568

NOTE: The Trustwave report contains proof-of-concept code.

 

Schneider published an advisory describing an improper access control vulnerability in their Easergy T300 remote terminal unit. The vulnerability was reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory discussing the Drovorub malware and its impact on their Q Data Radio and J Data Radio devices. Schneider is providing generic workarounds pending further work on mitigating the vulnerabilities.

Thales Advisory

Thales Group published an advisory for their Sentinel RMS License Manager. The advisory is only available to registered customers. We should expect to see various vendors incorporating the fix for this in their affected products.

Schneider Updates

Schneider published an update for their Ripple20 advisory. The new information includes adding mitigation measures for:

• eIFE Ethernet Interface for MasterPact MTZ drawout circuit breakers,

• IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers, and

• IFE Gateway

 

Schneider published an update for their EcoStruxure advisory that was originally published on May 12^th, 2020 and most recently updated on June 9^th, 2020. The new information includes adding mitigation measures for CVE-2020-7495 & CVE-2020-7497.

 

Schneider published an update for their Modicon M218/M241/M251/M258 Logic Controllers advisory that was originally published on April 14^th, 2020. The new information includes adding mitigation measures for M258.

 

Schneider published an update for their Modicon Controllers advisory that was originally published on March 20^th, 2020. The new information includes adding mitigation information for CVE-2020-7475.

 

Schneider published an update for their Modicon M580 controller advisory that was originally published on October 8^th, 2019. The new information includes adding mitigation information for CVE-2019-6848 and CVE-2019-6849.

Siemens Updates

Siemens published an update for their CodeMeter advisory. The new information includes adding SICAM 230 to the list of affected versions including mitigation measures.

Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on October 13^th, 2020. The new information includes adding:

• CVE-2020-10769,

• CVE-2020-14314,

• CVE-2020-25211, and

• CVE-2020-25641

Carestream Update

Carestream published an update [.PDF download link] for their Bad Neighbor advisory. The new information includes lists of affected and unaffected products.

Rockwell Update

Rockwell published an update for their Urgent/11 advisory. The new information includes mitigation measures for ControlLogix 5580 and CompactLogix products.

6 Advisories Published – 10-13-20

Today the CISA NCCIC-ICS published six control system security advisories for products from Siemens (2), Fieldcomm Group, Flexera, LCDS, and Moxa.

SIPORT Advisory

This advisory describes a use of client-side authentication vulnerability in the Siemens SIPORT MP access control system. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an authenticated attacker to impersonate other users of the system and perform (potentially administrative) actions on behalf of those users if the single sign-on feature (“Allow logon without password”) is enabled.

Desigo Advisory

This advisory describes three vulnerabilities in the Siemens Desigo Insight product. The vulnerabilities were reported by Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, and Massimiliano Brolli from TIM Security Red Team Research. Siemens has a ‘hotfix’ available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• SQL injection - CVE-2020-15792,

• Improper restriction of rendered UI layers or frames - CVE-2020-15793, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15794

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to retrieve or modify data and gain access to sensitive information.

Fieldcomm Group Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fieldcom HARP-IP Developer kit. The vulnerability was reported by Reid Wightman from Dragos, Inc. Fieldcomm has a new version for one of the affected products that mitigates the vulnerability. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

Flexera Advisory

This advisory describes an untrusted search path vulnerability in the Flexera InstallShield product. The vulnerability was reported by an anonymous researcher. Flexera will only provide mitigation measures and work arounds to registered owners.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow execution of a malicious DLL.

NOTE: This vulnerability was reported by Flexera in 2016, so why is NCCIC-ICS reporting this now? Both IBM (Tivoli Storage Manager) and Tenable (Nessus Network Monitor) have issued advisories covering this as a third-party vulnerability in 2016 and 2019 respectively. I suspect that there are other vendors that also use InstallShield that may be unaware of the vulnerability or may not have addressed it.

LCDS Advisory

This advisory describes an out-of-bounds read vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

Moxa Advisory

This advisory describes six vulnerabilities in the Moxa NPort IAW5000A-I/O Series integrated serial device server. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has an updated firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation - CVE-2020-25198,

• Improper privilege management - CVE-2020-25194,

Weak password requirements - CVE-2020-25153,

• Cleartext transmission of sensitive information - CVE-2020-25190,

• Improper restriction of excessive authorization attempts - CVE-2020-25196, and

• Exposure of sensitive information to unauthorized actor - CVE-2020-25192

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain access to and hijack a session; allow an attacker with user privileges to perform requests with administrative privileges; allow the use of weak passwords; allow credentials of third-party services to be transmitted in cleartext; allow the use of brute force to bypass authentication on an SSH/Telnet session; or allow access to sensitive information without proper authorization.

NOTE: I briefly described these vulnerabilities back in August. Moxa has updated their advisory to list the CVE numbers assigned by NCCIC-ICS.

Siemens Updates

NCCIC-ICS also published four Siemens updates today. I will cover them in a post tomorrow.

5 Advisories Published – 2-25-20

Yesterday the CISA NCCIC-ICS published five control system security advisories for products from Honeywell and Moxa (4).

Honeywell Advisory

This advisory describes three vulnerabilities in the Honeywell WIN-PAK monitoring platform. The vulnerabilities are self-reported. Honeywell has an update available that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7005;

• Improper neutralization of HTTP headers for scripting syntax - CVE-2020-6982; and

• Use of obsolete function - CVE-2020-6978

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker to perform remote code execution.

EDS-G516E Advisory

This advisory describes seven vulnerabilities in the Moxa EDS-G516E series, and EDS-510E series ethernet switches. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-7007;

• Use of broken or risky encryption algorithm - CVE-2020-7001;

• Use of hard-coded cryptographic key - CVE-2020-6979;

• Use of hard-coded credentials - CVE-2020-6981;

• Classic buffer overflow - CVE-2020-6989;

• Cleartext transmission of sensitive information - CVE-2020-6997; and

• Weak password requirements - CVE-2020-6991

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device, execute arbitrary code, and allow access to sensitive information.

PT-7528 Advisory

This advisory describes six vulnerabilities in the Moxa PT-7528 Series and PT-7828 Series ethernet switches. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-6989;

• Use of broken or risky cryptographic algorithm - CVE-2020-6987

• Use of a hard-coded cryptographic key - CVE-2020-6983;

• Use of hard-coded credentials - CVE-2020-6985;

• Weak password requirements - CVE-2020-6995; and

• Information exposure - CVE-2020-6993

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device or allow access to sensitive information.

ioLogik 2542-HSPA Advisory

This advisory describes three vulnerabilities in the Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Clear-text storage of sensitive information - CVE-2019-18238;

• Clear-text transmission of sensitive information - CVE-2020-7003; and

• Incorrectly specified destination in a communication channel - CVE-2019-18242

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device or allow access to sensitive information.

MB3xxx Advisory

This advisory describes nine vulnerabilities in the Moxa MB3170 series, MB3180 series, MB3270 series, MB3280 series, MB3480 series, and MB3660 series protocol gateways. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-9099;

• Integer overflow to buffer overflow - CVE-2019-9098;

• Cross-site request forgery - CVE-2019-9102;

• Use of broken or risky encryption algorithm - CVE-2019-9095;

• Information exposure - CVE-2019-9103;

• Clear-text transmission of sensitive information - CVE-2019-9101;

• Weak password requirements - CVE-2019-9096;

• Clear-text storage of sensitive information - CVE-2019-9104; and

• Incorrectly specified destination in a communication channel - CVE-2019-9097

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device, cause a buffer overflow, allow remote execution of arbitrary code, or allow access to sensitive information.

NOTE: All four of these Moxa advisories cover vulnerabilities that were originally reported by Moxa on September 25^th, 2019.