Review - Four Advisories Published – 6-22-21

 Today CISA’s NCCIC-ICS published four control system security advisories for products from CODESYS (3) and Advantech.

Linux SysFile Advisory - This advisory describes an OS command injection vulnerability in the CODESYS V2 Runtime Toolkit.

Control V2 Advisory - This advisory describes three vulnerabilities in the CODESYS CODESYS V2 Runtime Toolkit and CODESYS PLCWinNT products.

V2 Web Server Advisory - This advisory describes six vulnerabilities in the CODESYS V2 web server.

Advantech Advisory - This advisory describes three vulnerabilities in the Advantech WebAccess HMI Designer. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Advantech is still working on mitigation measures.

For a more detailed look at these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/four-advisories-published Subscription Required.

Public ICS Disclosures – Week of 5-8-21, Part 1

This is a busier week than normal, even for a ‘Second Tuesday’ week. We have three vendor notifications for the FragAttacks WiFi vulnerabilities from Aruba, Ruckus, and Texas Instruments. We have two vendor notifications for the two OPC UA vulnerabilities reported this week by NCCIC-ICS from Beckhoff, Belden. We also have twelve other vendor notifications from Braun, SITEL (4), PEPPERL+FUCHS, CODESYS (3), Dell, and PulseSecure (2).

There will be a similarly lengthy list in Part 2 tomorrow.

FragAttacks Advisories

Aruba published an advisory discussing the FragAttacks vulnerabilities. Aruba provides a list of affected products and has new versions that mitigate the vulnerabilities.

Ruckus published an advisory discussing the FragAttacks vulnerabilities. Ruckus provides a list of affected products and has updates that mitigate the vulnerabilities.

TI published an advisory discussing the FragAttacks vulnerabilities. TI provides a list of affected products and has new versions that mitigate the vulnerabilities.

OPC UA Advisories

Beckhoff published an advisory discussing the OPC UA advisories. Beckhoff provides a list of affected products and has new versions that mitigate the vulnerabilities.

Belden published an advisory discussing the OPC UA advisories. Belden provides a list of affected products and has new versions that mitigate the vulnerabilities.

Braun Advisory

Braun published an advisory describing four vulnerabilities in a number of their products. The vulnerabilities were reported by McAfee Advanced Threat Research. Braun has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Insufficient verification of data authenticity,

• Missing authentication for critical function,

• Clear-text transmission of sensitive information, and

• Unrestricted upload of file with dangerous type.

SITEL Advisories

Incibe-Cert published an advisory describing a hard-coded credentials vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing a clear-text transmission of sensitive information vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an uncontrolled resource consumption vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

PEPPERL+FUCHS Advisory

CERT-VDE published an advisory describing four vulnerabilities in the PEPPERL+FUCHS ICE1 Ethernet IO Modules. These are third-party (Hilscher) vulnerabilities. PEPPERL+FUCHS has provided generic mitigation measures.

The four reported vulnerabilities are:

• Out-of-bounds write (2) - CVE-2021-20987 and CVE-2021-20986,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-20988, and

• Exposure of sensitive information to an unauthorized actor - CVE-2019-18222 (Mbed TLS)

CODESYS Advisories

CODESYS published an advisory describing three vulnerabilities in their CODESYS V2 runtime systems. The vulnerabilities were reported by Yossi Reuven of SCADAfence and Sergey Fedonin and Denis Goryushev of Positive Technologies. CODESYS has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow - CVE-2021-30188, and

• Improper input validation - CVE-2021-30195

CODESYS published an advisory describing six vulnerabilities in their V2 web server. The vulnerabilities were reported by Vyacheslav Moskvin, Sergey Fedonin and Anton Dorfman of Positive

Technologies. CODESYS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2021-30189,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193, and

• Out-of-bounds read - CVE-2021-30194

CODESYS published an advisory describing an improper neutralization of special elements used in an OS command vulnerability in their CODESYS V2 Runtime Toolkit 32. This is a Linux implementation vulnerability. The vulnerability was reported by van Kurnakov and Sergey Fedonin of Positive Technologies. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Dell Advisory

Dell published an advisory describing an improper authorization vulnerability in their Dell Wyse Windows Embedded System. The vulnerability was reported by Alessandro Baldini and Alessio D'Anastasio. Dell has updates that mitigate the vulnerability.

PulseSecure Advisories

PulseSecure published an advisory describing an HTTP request smuggling vulnerability in their Virtual Traffic Manager (vTM). The vulnerability was reported by James Kettle from PortSwigger Web Security.  PulseSecure has new versions that mitigate the vulnerability. There is no indication that Kettle has been provided an opportunity to verify the efficacy of the fix.

PulseSecure published an advisory describing a buffer overflow vulnerability in their Pulse Connect Secure. PulseSecure provides a work around pending development of a new version that will mitigate the vulnerability.

Public ICS Disclosures – Week of 1-16-21

This week we have six vendor disclosures from ABB, Bosch, Belden, WEIDMUELLER, PulseSecure, and Siemens. We have two vendor reports on products from Sela.

ABB Advisory

ABB published an advisory describing an unauthenticated crafted packet vulnerability in their AC500 V2 PLCs. The vulnerability was reported by Yossi Reuven of SCADAfence. ABB has a new firmware version that mitigates the vulnerability. There is no indication that Reuven was provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing two vulnerabilities in their Bosch Fire Monitoring System. The vulnerabilities are self-reported. Bosch has a patch that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2020-6779, and

• Use of password hash with insufficient computational effort - CVE-2020-6780

Belden Advisory

Belden published an advisory describing a firewall bypass vulnerability in their WLAN (HiCLOS) products. The vulnerability is self-reported. Belden has updates available that mitigate the vulnerability.

WEIDMUELLER Advisory

CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in the WEIDMUELLER WI Manager. WEIDMUELLER continues to work on mitigation measures for this vulnerability.

PulseSecure Advisory

PulseSecure published an advisory discussing a third-party (OpenSSL) null pointer dereference vulnerability in their products. They can report that their Pulse Secure vADC is not affected, but they are still looking at other products.

Siemens Advisory

Siemens published an out-of-zone advisory discussing the DNSpooq vulnerabilities in their SCALANCE and RUGGEDCOM Devices. Siemens has provided generic workarounds to mitigate the vulnerabilities pending further development efforts.

Selea Reports

Zero Science Labs has published a report describing a cross-site scripting vulnerability in the Selea CarPlateServer. Zero Science reports coordinating with Selea but is unaware of any mitigation measures developed by the company. LiquidWorm has published an exploit for this vulnerability.

 

Zero Science Labs has published a report describing a privilege escalation vulnerability in the Selea CarPlateServer. Zero Science reports coordinating with Selea but is unaware of any mitigation measures developed by the company. LiquidWorm has published an exploit for this vulnerability.

2 Advisories Published – 10-8-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi and Johnson Controls.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC iQ-R Series modules. The vulnerability was reported by Yossi Reuven of SCADAfence. Mitsubishi plans to release a patch to mitigate the vulnerability. In the meantime, they have provided generic workarounds.

According to NCCIC-ICS a relatively low-skilled attacker could remotely exploit this vulnerability to result in a denial-of-service condition due to uncontrolled resource consumption.

NOTE: NCCIC-ICS did not provide a link to the Mitsubishi advisory.

Johnson Controls Advisory

This advisory describes an improper authorization vulnerability in the Johnson Controls American Dynamics victor Web Client. The vulnerability was reported by Joachim Kerschbaumer. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kerschbaumer has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with access to an adjacent network could exploit the vulnerability to allow a remote unauthenticated attacker to delete arbitrary files on the system or render the system unusable through a denial-of-service attack.

6 Advisories and 4 Updates Published

Today the CISA NCCIC-ICS published six control system security advisories for products from Siemens (4), Mitsubishi Electric and Advantech. They also updated four advisories for products from Philips, Siemens (2) and OSIsoft.

SINUMERIK Advisory

This advisory describes 22 vulnerabilities in the Siemens SINUMERIK products. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.

The 22 reported vulnerabilities are:

• Buffer underflow - CVE-2018-15361,

• Heap-based buffer overflow (5) - CVE-2019-8258, CVE-2019-8262, CVE-2019-8271, CVE-2019-8273, and CVE-2019-8274,

• Improper initialization - CVE-2019-8259,

• Out-of-bounds read (3) - CVE-2019-8260, CVE-2019-8267, and CVE-2019-8270,

• Stack-based buffer overflow (3) - CVE-2019-8263, CVE-2019-8269, and CVE-2019-8276,

• Access of memory location after ends of buffer (4) - CVE-2019-8264, CVE-2019-8265, CVE-2019-8266, and CVE-2019-8280,

• Off-by-one error (2) - CVE-2019-8268, and CVE-2019-8272,

• Improper null determination - CVE-2019-8275,

• Improper initialization - CVE-2019-8277,

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution, information disclosure, and denial-of-service attacks under certain conditions.

Note: according to the Siemens advisory these are third-party vulnerabilities (in this case, UltraVNC, a remote access system) – that were reported by Kaspersky. A number of other VNC systems were included in that report.

SIMATIC Advisory #1

This advisory describes two vulnerabilities in the Siemens SIMATIC and SINAMICS products. The vulnerabilities were reported by Nadav Erez of Claroty. Siemens has new versions that mitigate the vulnerabilities. There is no indication that Erez has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Uncontrolled search path - CVE-2020-7585, and

• Heap-based buffer overflow - CVE-2020-7586

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to affect the availability of the devices under certain conditions.

NOTE: According to the Siemens advisory the vulnerabilities were reported by Uri Katz of Claroty.

SIMATIC Advisory #2

This advisory describes an unquoted search path or element vulnerability in the Siemens SIMATIC, SINAMICS, SINEC, SINEMA and SINUMERIK products. This vulnerability was reported by Ander Martinez of Titanium Industrial Security via INCIBE. Siemens has some updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with authorized local access could exploit the vulnerability to execute custom code with SYSTEM level privileges.

LOGO! Advisory

This advisory describes a missing authentication for critical function vulnerability in the Siemens LOGO! Product. The vulnerability was reported by Alexander Perez-Palma of Cisco Talos and Emanuel Almeida of Cisco Systems. Siemens has provided generic mitigation measures for this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to read and modify device configurations and obtain project files from affected devices.

NOTE: The Siemens advisory says that an attacker would have to have access to port 135/tcp to exploit this vulnerability.

Mitsubishi Advisory

This advisory describes a resource exhaustion vulnerability in the Mitsubishi MELSEC iQ-R series modules. The vulnerability was reported by Yossi Reuven of SCADAfence. Mitsubishi has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the Ethernet port to enter a denial-of-service condition.

Advantech Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Advantech WebAccess Node. The vulnerability was reported by Z0mb1E via the Zero Day Initiative. Advantech has a patch that mitigates the vulnerability. There is no indication that Z0mb1E has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the application being accessed; a buffer overflow condition may allow remote code execution.

Philips Update

This update provides additional information on an advisory that was originally published on August 16^th, 2018. The new information includes:

• Extending the expected update publication from mid-2019 to 3^rd Quarter 2020, and

• Change mitigation instructions for PageWriter TC50 and TC70,

SIMATIC Update

This update provides additional information on an advisory that was was originally published on December 10th, 2019 and most recently updated on March 10^th, 2020. The new information includes:

• Revised version and mitigation information for  SIMOCODE pro V PN, and

• Clarified update version information for SINAMICS G130/G150/S150 and SINAMICS S120

Industrial Products Update

This update provides additional information on an advisory that was originally published on September 10^th, 2019 and most recently updated April 14^th, 2020. The new information includes:

• Added products SIMATIC NET CP 443-1 OPC UA, CP 443-1 RNA, CP 442-1 RNA, CP 443-1, CP 443-1 Advanced and CP 343-1 Advanced,

• Included additional information to CP 1623 and CP 1628 regarding affected CVE,

• Added new vulnerability: Excessive data query operations in large data table - CVE-2019-8460

Other Siemens Update

There was one other Siemens update that was published today. I will cover it this weekend.

OSIsoft Update

This update provides additional information on an advisory that was originally published on May 12^th, 2010. The new information includes:

• Four new affected products:

◦ PI Connector for IEC 60870-5-104,

◦ PI Connector for OPC-UA,

◦ PI Connector for Siemens Simatic PCS 7, and

◦ PI Connector for UFL

• Major change to mitigation measures

Public ICS Disclosures – Week of April 25th, 2020

This week we have two vendor disclosures for products from Moxa and BD. We also have one researcher disclosure for products from Flexera.

Moxa Advisory

Moxa published an advisory describing an unauthenticated information disclosure vulnerability in their NPort 5100A Series Serial Device Servers. The vulnerability was reported by Maayan Fishelov from SCADAfence. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that Fishelov has been provided an opportunity to verify the efficacy of the fix.

BD Advisory

BD published an advisory describing a third-party scripting engine memory corruption vulnerability affecting their product line. The Internet Explorer® vulnerability was reported and fixed by Microsoft in February 2020. BD is currently working to test and validate the Microsoft patch for BD products.

Flexera Advisory

Tenable published a report describing an  improper validation of user-supplied data vulnerability in the Flexera FlexNet Publisher. This was a coordinated disclosure. Flexera has a new version that mitigates the vulnerability. The Tenable report includes proof-of-concept exploit code.

NOTE: This license management tool is used as a third-party component of many products, including some ICS products from vendors like Johnson Controls, Schneider Electric and Rockwell to name a few that have shown up invulnerability reports in the past. It will be interesting to see how fast we see the subsidiary reporting from those affected vendors.