Review - 5 Updates Published – 11-11-21

Yesterday, the NCCIC-ICS published five updates for control system security advisories for products from Siemens (4) and multiple embedded TCP/IP stacks.

There were an additional seven updates published by Siemens on Tuesday. I will cover those this weekend.

SIMATIC Update - This update provides additional data on an advisory that was originally published on July 9^th, 2020 and most recently updated on September 14^th, 2021.

Nucleus Update #1 - This update provides additional data on an advisory that was originally published on April 13^th, 2021.

Nucleus Update #2 - This update provides additional data on an advisory that was originally published on April 13^th, 2021.

Linux-based Products Update - This update provides additional data on an advisory that was originally published on May 11^th, 2021 and most recently updated on October 14^th, 2021.

Embedded TCP/IP Stack Update - This update provides additional data on an advisory that was originally published on February 11th, 2021, and most recently updated on February 18^th, 2021.

For more details about these updates, including listings of what changed in the update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-updates-published-11-11-21 - subscription required.

2 Advisories and 3 Updates Published – 2-18-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi and Johnson Controls. They also updated three advisories for products from Mitsubishi, Schneider and multiple TCP/IP stack vendors.

Mitsubishi Advisory

This advisory describes two vulnerabilities in the Mitsubishi FA engineering software products. The vulnerabilities were reported by dliangfun. Mitsubishi has new versions that mitigate the vulnerabilities. There is no indication that dliangfun has been provided an opportunity to verify the efficacy.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-20587, and

• Improper handling of length parameter inconsistency - CVE-2021-20588

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  cause a denial-of-service condition.

Johnson Controls Advisory

This advisory describes a path traversal vulnerability in the Johnson Controls Metasys Reporting Engine (MRE) Web Services. The vulnerability was reported by TIM Security Red Team Research. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote unauthenticated attacker to access and download arbitrary files from the system.

Mitsubishi Update

This update provides additional information on an advisory that was originally reported on October 8^th, 2020 and most recently updated on October 29^th, 2020. The new information includes adding updated affected version and mitigation information for R08/16/32/120PCPU.

Schneider Update

This update provides additional information on an advisory that was originally published on January 12^th, 2020. The new information includes adding a link to the Schneider advisory.

Embedded TCP/IP Stacks Update

This update provides additional information on an advisory that was originally published on February 11^th, 2021. The new information includes adding mitigation measures for FNET.

2 Advisories and 1 Update Published – 2-11-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell and multiple embedded TCP/IP stacks.

Rockwell Advisory

This advisory describes an uncontrolled search path element vulnerability in the Rockwell DriveTools SP and Drives AOP. The vulnerability was reported by Claroty and Cognite, Rockwell has an update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability resulting in privilege escalation and complete control of the system.

TCP/IP Stacks Advisory

This advisory describes nine separate use of insufficiently random values vulnerabilities in multiple open-source and proprietary TCP/IP stacks. The vulnerabilities (nicknamed NUMBER:JACK) were reported by Daniel dos Santos, Stanislav Dashevskyi, Jos Wetzels, and Amine Amri of Forescout Research Labs. Some the affected vendors have new versions that mitigate the vulnerability in their TCP/IP stack.

The nine reported CVE’s (each generally associated with a separate TCP/IP stack vendor) are:

• CVE-2020-27213 - Nut/Net 5.1 - Patch in progress

• CVE-2020-27630 - uC/TCP-IP 3.6.0 - Patched in the latest version of Micrium OS (successor project),

• CVE-2020-27631 - CycloneTCP 1.9.6 - Patched in version 2.0.0,

• CVE-2020-27632 - NDKTCPIP 2.25 - Patched in version 7.02 of Processor SDK,

• CVE-2020-27633 - FNET 4.6.3 - Documentation updated to warn users and recommend implementing their own PRNG [pseudorandom number generator],

• CVE-2020-27634 - uIP 1.0 Contiki-OS 3.0 Contiki-NG 4.5 - No response from maintainers,

• CVE-2020-27635 - PicoTCP 1.7.0 PicoTCP-NG - Version 2.1 removes the default (vulnerable) implementation and recommends users implement their own PRNG,

• CVE-2020-27636 - MPLAB Net 3.6.- Patched in version 3.6.4.

• CVE-2020-28388 Nucleus NET 4.3 -Patched in Nucleus NET 5.2 and Nucleus ReadyStart v2012.12.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to hijack or spoof TCP connections, cause denial-of-service conditions, inject malicious data, or bypass authentication.

NOTE: The “NUMBER:JACK” report explains that “Forescout Research Labs has released an open source script that uses active fingerprinting to detect which stack a target device is running.” {pg 6}.

Commentary: Oh this is going to be a fun one. I foresee lots of equipment vendor advisories in the works as everyone scrambles to try to fix this mess. BTW, the Report notes that an attack on this type of vulnerability in the old IT world was known as a Mitnick Attack.

CodeMeter Update

This update provides new information on an advisory that was originally published on September 8^th, 2020 and most recently updated on December 3^rd, 2020. The new information includes adding links to the vendor alert from Drager.