Public ICS Disclosures – Week of 5-8-21, Part 1

This is a busier week than normal, even for a ‘Second Tuesday’ week. We have three vendor notifications for the FragAttacks WiFi vulnerabilities from Aruba, Ruckus, and Texas Instruments. We have two vendor notifications for the two OPC UA vulnerabilities reported this week by NCCIC-ICS from Beckhoff, Belden. We also have twelve other vendor notifications from Braun, SITEL (4), PEPPERL+FUCHS, CODESYS (3), Dell, and PulseSecure (2).

There will be a similarly lengthy list in Part 2 tomorrow.

FragAttacks Advisories

Aruba published an advisory discussing the FragAttacks vulnerabilities. Aruba provides a list of affected products and has new versions that mitigate the vulnerabilities.

Ruckus published an advisory discussing the FragAttacks vulnerabilities. Ruckus provides a list of affected products and has updates that mitigate the vulnerabilities.

TI published an advisory discussing the FragAttacks vulnerabilities. TI provides a list of affected products and has new versions that mitigate the vulnerabilities.

OPC UA Advisories

Beckhoff published an advisory discussing the OPC UA advisories. Beckhoff provides a list of affected products and has new versions that mitigate the vulnerabilities.

Belden published an advisory discussing the OPC UA advisories. Belden provides a list of affected products and has new versions that mitigate the vulnerabilities.

Braun Advisory

Braun published an advisory describing four vulnerabilities in a number of their products. The vulnerabilities were reported by McAfee Advanced Threat Research. Braun has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Insufficient verification of data authenticity,

• Missing authentication for critical function,

• Clear-text transmission of sensitive information, and

• Unrestricted upload of file with dangerous type.

SITEL Advisories

Incibe-Cert published an advisory describing a hard-coded credentials vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing a clear-text transmission of sensitive information vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an uncontrolled resource consumption vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

PEPPERL+FUCHS Advisory

CERT-VDE published an advisory describing four vulnerabilities in the PEPPERL+FUCHS ICE1 Ethernet IO Modules. These are third-party (Hilscher) vulnerabilities. PEPPERL+FUCHS has provided generic mitigation measures.

The four reported vulnerabilities are:

• Out-of-bounds write (2) - CVE-2021-20987 and CVE-2021-20986,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-20988, and

• Exposure of sensitive information to an unauthorized actor - CVE-2019-18222 (Mbed TLS)

CODESYS Advisories

CODESYS published an advisory describing three vulnerabilities in their CODESYS V2 runtime systems. The vulnerabilities were reported by Yossi Reuven of SCADAfence and Sergey Fedonin and Denis Goryushev of Positive Technologies. CODESYS has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow - CVE-2021-30188, and

• Improper input validation - CVE-2021-30195

CODESYS published an advisory describing six vulnerabilities in their V2 web server. The vulnerabilities were reported by Vyacheslav Moskvin, Sergey Fedonin and Anton Dorfman of Positive

Technologies. CODESYS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2021-30189,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193, and

• Out-of-bounds read - CVE-2021-30194

CODESYS published an advisory describing an improper neutralization of special elements used in an OS command vulnerability in their CODESYS V2 Runtime Toolkit 32. This is a Linux implementation vulnerability. The vulnerability was reported by van Kurnakov and Sergey Fedonin of Positive Technologies. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Dell Advisory

Dell published an advisory describing an improper authorization vulnerability in their Dell Wyse Windows Embedded System. The vulnerability was reported by Alessandro Baldini and Alessio D'Anastasio. Dell has updates that mitigate the vulnerability.

PulseSecure Advisories

PulseSecure published an advisory describing an HTTP request smuggling vulnerability in their Virtual Traffic Manager (vTM). The vulnerability was reported by James Kettle from PortSwigger Web Security.  PulseSecure has new versions that mitigate the vulnerability. There is no indication that Kettle has been provided an opportunity to verify the efficacy of the fix.

PulseSecure published an advisory describing a buffer overflow vulnerability in their Pulse Connect Secure. PulseSecure provides a work around pending development of a new version that will mitigate the vulnerability.

Public ICS Disclosures – Week of 1-23-21

This week we have nine vendor disclosures from Bosch, ZIV Automation (2), Emerson, GE Healthcare, Johnson Controls, Rockwell (2), and Siemens.

Bosch Advisory

Bosch published an advisory describing a stack-based buffer overflow vulnerability in their Rexroth ID 200/C-ETH using EtherNet/IP Protocol. This is a third-party (Real Time Automation) vulnerability. Bosch provides generic mitigation measures.

ZIV Automation Advisories

Incibe-CERT published an advisory describing an uncontrolled resource consumption vulnerability in the ZIV 4CCT Smart Metering Data Concentrator. The vulnerability was reported by Aarón Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability. There is no indication that Menendez has been provided an opportunity to verify the efficacy of the fix.

 

Incibe-CERT published an advisory describing an improper authentication vulnerability in the ZIV 4CCT Smart Metering Data Concentrator. The vulnerability was reported by Aarón Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability. There is no indication that Menendez has been provided an opportunity to verify the efficacy of the fix.

Emerson Advisory

Emerson published an advisory describing the fdtCONTAINER vulnerability in their Rosemont Transmitter Interface Software. Emerson no longer supports that software.

NOTE: This Emerson impact was previously reported by NCCIC-ICS.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing undisclosed vulnerabilities in the VC150 Vital Signs Monitor that they distribute. The Innokas Medical web site simply notes in their software update note for the VC150 that it contains “Cybersecurity enhancements and bug fixes”. GE Healthcare has made the updated software available.

Johnson Controls

Johnson Controls has published an advisory discussing four vulnerabilities in their Sur-Gard System 5 receivers. They are third-party (Treck) vulnerabilities. Johnson Controls has a new version that mitigates the vulnerabilities.

NOTE: This advisory does not specifically name the four vulnerabilities identified by Treck and NCCIC-ICS, it just provides the CVE numbers; CVE-2020-25066,  CVE-2020-27336, CVE-2020-27337, and  CVE-2020-27338.

Rockwell Advisories

Rockwell published an advisory describing the fdtCONTAINER vulnerability in their FactoryTalk AssetCentre. Rockwell has a new version that mitigates the vulnerability.

 

Rockwell published an advisory describing a buffer overflow vulnerability in their MicroLogix 1400 Controller. The vulnerability was reported by Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS. Rockwell provides generic mitigation measures

Siemens Advisory

Siemens published an advisory describing a missing authentication for critical function vulnerability in their SIMATIC HMI Panels. The vulnerability was reported by the Zero Day Initiative. Siemens has new versions that mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The advisory acknowledges the coordination efforts of CISA, so it is likely that NCCIC-ICS will publish an advisory on this vulnerability next week.