9 Advisories Published – 9-8-20

Today the CISA NCIC-ICS published nine control system security advisories for products from Wibu-Systems and Siemens (8). The Wibu advisory was originally published with restricted access on the HSIN ICS library on July 21^st, 2020. It has been a little over 22 months since NCCIC-ICS last published an advisory on HSIN before releasing it to the general public.

NOTE: NCCIC-ICS also updated seven advisories from Siemens. I will address those in a separate blog post, probably tomorrow.

Wibu-Systems Advisory

This advisory describes six vulnerabilities in the Wibu-Systems CodeMeter. These vulnerabilities were reported by Sharon Brizinov and Tal Keren of Claroty. Wibu has a new version that, along with other specific measures mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Buffer access with incorrect length value - CVE-2020-14509,

• Inadequate encryption strength - CVE-2020-14517,

• Origin validation error - CVE-2020-14519,

• Improper input validation - CVE-2020-14513,

• Improper verification of cryptographic signature - CVE-2020-14515, and

• Improper resource shutdown or release - CVE-2020-16233

NOTE: The CVE links are to the respective Wibu advisory. They apparently publish a separate advisory for each vulnerability. These advisories provide a bit more detail than does the NCCIC-ICS advisory.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.

NOTE: NCCIC-ICS provided links to two vendor advisories for products affected by this vulnerability:

• Siemens, and

• Rockwell

Polarian Advisory

This advisory describes two vulnerabilities in the Siemens Polarion Subversion Webclient. The vulnerabilities were reported by Li Yifan. Siemens considers the product shareware, distributed “as is,” and will be no fix as it is no longer supported.

The two reported vulnerabilities are:

• Basic XSS - CVE-2020-15788, and

• Cross-site request forgery - CVE-2020-15789

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to to induce the victim to issue an HTTP request could lead to a state-changing operation.

Industrial Products Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerabilities in the Siemens Industrial Products. The Siemens advisory notes that this is the third-party (Intel) Crosstalk vulnerability. The vulnerability was reported by Alyssa Milburn, Hany Ragab, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida from the VUSec group. Siemens is working on an update and currently only provides generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit this vulnerability to allow an authenticated user to enable information disclosure via local access.

SIMATIC Advisory #1

This advisory describes two vulnerabilities in the Siemens SIMATIC HMI Products. The vulnerabilities were reported by Joseph Gardiner from Bristol Cyber Security Group. Siemens is working on an update and currently only provides generic workarounds to mitigate the vulnerability.

The two reported vulnerabilities are:

• Improper restriction of excessive authentication attempts - CVE-2020-15786, and

• Authentication bypass by primary weakness - CVE-2020-15787.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.

Siveillance Advisory

This advisory describes a cleartext transmission of sensitive information vulnerability in the Siemens Siveillance Video Client IP video management software. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to obtain valid administrator login names and use this information to launch further attacks.

Spectrum Advisory

This advisory describes two vulnerabilities in the Siemens Spectrum Power products. The vulnerabilities were reported by Can Demirel of Cyberwise. Siemens has updates that mitigate the vulnerabilities. There is no indication that Demirel has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Cleartext storage of sensitive information - CVE-2020-15784, and

• Exposure of information through directory listing - CVE-2020-15790

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an unauthorized attacker to retrieve a list of software users, or in certain cases to list the contents of a directory.

License Management Advisory

This advisory describes an execution with unnecessary privileges vulnerability in the Siemens License Management Utility (LMU). The vulnerability was reported by Bundesamt für Sicherheit in der Informationstechnik (BSI). Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow local users to escalate privileges.

SIMATIC Advisory #2

This advisory describes an insufficiently protected credentials vulnerability in the Siemens SIMATIC S7-300 and S7-400 CPUs. The vulnerability was reported by Hyunguk Yoo from University of New Orleans and Irfan Ahmed and Adeen Ayub from Virginia Commonwealth University. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow credential disclosure.

SIMATIC Advisory #3

This advisory describes three vulnerabilities in the Siemens SIMATIC RTLS Locating Manager. The vulnerabilities were self-reported. Siemens has an update that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2020-10049 and CVE-2020-10050, and

• Unquoted search path or element -CVE-2020-10051

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow a privileged local user to escalate privileges.

3 Advisories and 1 Update Published – 7-28-20

Today the CISA NCCIC-ICS published three control system security advisories for products from HMS Industrial Networks, Softing Industrial, and Secomea. They also published an update for an advisory for products from Delta Industrial Automation.

HMS Advisory

This advisory describes a stack-based buffer overflow in the HMS eCatcher VPN client. The vulnerability was reported by Sharon Brizinov of Claroty. HMS has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device being accessed. In addition, a buffer overflow condition may allow remote code execution with highest privileges.

NOTE: I briefly discussed this vulnerability earlier this month.

Softing Advisory

This advisory describes two vulnerabilities in the Softing OPC. The vulnerabilities were reported by Uri Katz of Claroty. Softing has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-14524, and

• Uncontrolled resource consumption - CVE-2020-14522

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device being accessed. A buffer-overflow condition may also allow remote code execution.

Secomea Advisory

This advisory describes four vulnerabilities in the Secomea GateManager VPN manager. The vulnerabilities were reported by Sharon Brizinov and Tal Keren of Claroty. Secomea has a new versin that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper neutralization of null byte or null character - CVE-2020-14500,

• Off-by-one error - CVE-2020-14508,

• Use of hard-coded credentials - CVE-2020-14510, and

• Use of password hash with insufficient computational effort - CVE-2020-14512

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain remote code execution on the device.

Delta Update

This update provides additional information on an advisory that was originally published on June 30^th, 2020. The new information includes a link to a new version that mitigates the vulnerabilities.

9 Advisories Published – 7-14-20

Today the CISA NCCIC-ICS published eight control system security advisories for products from Siemens (6), Moxa and Advantech. They also published one medical device security advisory for products from Capsule Technologies.

NOTE: NCCIC-ICS also published 12 updates, but I will not try to get a report done on those this evening. Look for it tomorrow morning

Logo Advisory

This advisory describes a classic buffer overflow vulnerability in the Siemens LOGO! Web Server. The vulnerability was reported by Alexander Perez-Palma and Dave McDaniel from Cisco Talos and Emanuel Almeida from Cisco Systems. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow remote code execution..

Opcenter Advisory

This advisory describes three vulnerabilities in the Seiemens  Opcenter Execution Core. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7576,

• SQL injection - CVE-2020-7577, and

• Improper access control - CVE-2020-7578

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain session cookies, read and modify application data, read internal information, and perform unauthorized changes. Should the attacker gain access to the session cookies, they could then hijack the session and perform arbitrary actions in the name of the victim.

SIMATIC S7 Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC S7-200 SMART CPU family. The vulnerability was reported by Ezequiel Fernandez. Siemens has a new version that mitigates the vulnerability. There is no indication that Fernandez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to cause a denial-of-service condition.

UMC Stack Advisory

This advisory describes three vulnerabilities in the Siemens UMC Stack. The vulnerabilities were reported by Victor Fidalgo of INCIBE and Reid Wightman of Dragos. Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Unquoted search path or element - CVE-2020-7581,

• Uncontrolled resource consumption - CVE-2020-7587, and

• Improper input validation - CVE-2020-7588

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to cause a partial denial-of-service condition on the UMC component of the affected devices under certain circumstances. This could also allow an attacker to locally escalate privileges from a user with administrative privileges to execute code with SYSTEM level privileges.

SIMATIC HMI Advisory

This advisory describes a cleartext transmission of sensitive information in the Siemens SIMATIC HMI Panels. The vulnerability was reported by Richard Thomas and Tom Chothia of the University of Birmingham.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to access sensitive information under certain circumstances.

SICAM Advisory

This advisory describes nine vulnerabilities in the Seimens SICAM MMU, SICAM T and SICAM SGU products. The vulnerabilities were reported by Luca Simbürger, Luca Hofschuster, Lukas Kahnert, Jakob Lachermeier, Christian Costa, Simon Huber, Lukas Sas Brunschier, Florian Freiberger, Florian Burger, Marie-Louise Oostveen, Magdalena Thomeczek, and Johann Uhrmann from Landshut University of Applied Sciences and Max Hirschberger, Simon Hofmann, and Peter Knauer from Augsburg University of Applied Sciences. Siemens has updates that mitigate the vulenrabilites. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-10037,

• Missing authentication for critical function - CVE-2020-10038,

• Missing encryption of sensitive data - CVE-2020-10039,

• Use of password has with insufficient computational effort - CVE-2020-10040,

• Cross-site scripting - CVE-2020-10041,

• Classic buffer overflow - CVE-2020-10042,

• Basic XSS - CVE-2020-10043, and

• Authentication bypass by capture replay - CVE-2020-10045

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to affect the availability, read sensitive data, and gain remote code execution on the affected devices.

Moxa Advisory

This advisory describes a stack-based buffer overflow in the Moxa EDR-G902 and EDR-G903 Series Routers. The vulnerability was reported by Tal Keren of Claroty. Moxa has a firmware patch that mitigates the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

NOTE 1: NCCIC-ICS did not publish a link to the Moxa advisory.

NOTE 2: I briefly discussed this vulnerability last month.

Advantech Advisory

This advisory describes six vulnerabilities in the Advantech iView device management application. The vulnerabilities were reported by rgod via the Zero Day Initiative. Advantech has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• SQL injection - CVE-2020-14497,

• Path traversal - CVE-2020-14507,

• Command injection - CVE-2020-14505,

• Improper input validation - CVE-2020-14503,

• Missing authentication for critical function - CVE-2020-14501, and

• Improper access control -CVE-2020-14499

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application.

Capsule Technologies Advisory

This advisory describes protection mechanism failure in the Capsule Technologies SmartLinx Neuron 2 medical device platform. The vulnerability was reported by Patrick DeSantis of Cisco Talos (NOTE: Talos report includes exploit code). Capsule Technologies has a new version that mitigates the vulnerability. There is no indication that DeSantis has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code to exploit the vulnerability to provide an attacker with full control of a trusted device on a hospital’s internal network.

Public ICS Disclosures – Week of 6-13-20

This week we have eight vendor disclosures (3 for the Ripple20 vulnerabilities) for products from Beckhoff, Moxa, Medtronic, GE Health, Draeger (2), Rockwell, and BD. There is also a researcher report of a zero-day for products from Inductive Automation.

Ripple20 Advisories

Medtronic published a Ripple20 advisory reporting no impact.

GE Healthcare published a Ripple20 advisory reporting no impact but advising that there may be possible impact to third party components used in combination with GE Healthcare products.

Draeger published a Ripple 20 advisory reporting no impact.

NOTE: “No impact” reports are valuable information. I think the GE nuanced ‘no impact’ report is important where the vendor software may be running on a machine that includes other non-vendor produced software (perhaps including OS?).

Beckhoff Advisory

CERT-VDE published an advisory describing an information leak vulnerability in the Beckhoff TwinCAT RT network driver. The vulnerability is self-reported. Beckhoff has patches that mitigate the vulnerability.

Moxa Advisory

Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDR-G902 Series and EDR-G903 Series Secure Routers. The vulnerability was reported by Tal Keren from Claroty. Moxa has new firmware to mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

Draeger Advisory

Draeger published an advisory describing an improper input validation vulnerability in their Perseus A500 product. The vulnerability is self-reported. Draeger has new software that mitigates the vulnerability.

Rockwell Vulnerability

Rockwell published an advisory describing a path traversal advisory in their FactoryTalk Linx software. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference. Rockwell has a patch that mitigates the vulnerability.

NOTE: Rockwell reports that they had previously disclosed this vulnerability in an advisory that was published on June 11^th, 2020. I suppose that the Pwn2Own announcement could have been included as an update to that advisory. This may be why NCCIC-ICS has not picked up this advisory.

BD Advisory

BD published an advisory describing a remote code execution vulnerability in a number of BD products that use the Microsoft Windows 10®. This is a third-party (MS) SMBv3 server vulnerability. BD is currently working to test and validate the Microsoft patch on the affected products.

Inductive Automation Advisory

The Zero Day Initiative published an advisory describing a deserialization of untrusted data information disclosure vulnerability in the Inductive Automation Ignition product. The vulnerability was reported by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference and reported to the vendor. The vendor has not been able to provide an estimated fix date to either ZDI or NCCIC-ICS. This is effectively a zero-day vulnerability.

13 Advisories and 5 Updates Published – 2-11-20

Today the CISA NCCIC-ICS published 13 control system security advisories for products from Synergy Systems and Solutions, Digi International and Siemens (11). They also updated five control system security advisories for products from Siemens.

Synergy Systems Advisory

This advisory describes two vulnerabilities in the SSS HUSKY RTU. The vulnerabilities were reported by VAPT Team, C3i Center. SSS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2019-20046; and

• Improper input validation - CVE-2019-20045

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read sensitive information, execute arbitrary code, or cause a denial-of-service condition.

Digi Advisory

This advisory describes two vulnerabilities in the Digi ConnectPort LTS 32 MEI. The vulnerabilities were reported by Murat Aydemir and Fatih Kayran of Biznet Bilisim. Digi has a new release that mitigates the vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-6975; and

• Cross-site scripting - CVE-2020-6973

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to limit system availability.

SIPROTEC Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact. The vulnerability was reported by Tal Keren from Claroty. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct a denial-of-service attack over the network.

SIMATIC S7-1500 Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7-1500 CPU family. The vulnerability is self-reported. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct denial-of-service attacks.

SCALANCE S-600 Advisory

This advisory describes three vulnerabilities in the Siemens SCALANCE S-600 Firewall. One of the vulnerabilities was reported by Melih Berk Ekşioğlu. Siemens has provided generic workarounds to mitigate the vulnerability.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2019-6585; and

• Uncontrolled resource consumption (2) - CVE-2019-13925 and CVE-2019-13926

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct denial-of-service or cross-site scripting attacks. User interaction is required for a successful exploitation of the cross-site-scripting attack.

OZW Web Server Advisory

This advisory describes and information disclosure vulnerability in the Siemens OZW web server. The vulnerability was reported by Maxim Rupp. Siemens has a new version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow unauthenticated users to access project files.

SIPORT Advisory

This advisory describes an insufficient logging vulnerability in the Siemens SIPORT MP. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow the attacker to create special accounts with administrative privileges.

SCALANCE Advisory

This advisory describes a protection mechanism failure vulnerability in the Siemens SCALANCE X switches. The vulnerability is self-reported. Siemens has updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to perform administrative actions.

SIMATIC PCS 7 Advisory

This advisory describes an incorrect calculation of buffer size vulnerability in the Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC NET PC products. The vulnerability was reported by Nicholas Miles from Tenable. Siemens has new versions that mitigate the vulnerability. There is no indication that Miles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker with network access to cause a denial-of-service condition.

SIMATIC S7 Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7 devices. The vulnerability was reported by China Industrial Control Systems Cyber Emergency Response Team. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote attackers to perform a denial-of-service attack by sending a specially crafted HTTP request to the web server of an affected device.

PROFINET Advisory

This advisory describes a resource exhaustion vulnerability in the Siemens PROFINET-IO Stack. The vulnerability was reported by Yuval Ardon and Matan Dobrushin of OTORIO. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to lead to a denial-of-service condition.

NOTE: OTORIO reports that this same vulnerability is found in multiple vendor products including the Moxa EDS Ethernet Switches.

SIMATIC CP Advisory

This advisory describes two vulnerabilities in the Siemens SIMATIC CP 1543-1. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improper access control - CVE-2019-12815; and

• Loop with unreachable exit condition - CVE-2019-18217

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution and information disclosure without authentication, or unauthenticated denial of service.

Industrial Products Advisory

This advisory describes two vulnerabilities in the Siemens SCALANCE, SIMATIC, SIPLUS products. The vulnerabilities were reported by Artem Zinenko of Kaspersky Lab. Siemens has new versions that mitigate the vulnerabilities. There is no indication that Zinenko has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Data processing errors - CVE-2015-5621; and

• Null pointer dereference - CVE-2018-18065

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote attackers to conduct a denial-of-service attack by sending specially crafted packets to Port 161/UDP (SNMP).

SIMOCODE Update

This update provides additional information on an advisory that was originally published on March 9th, 2019 and most recently updated on January 14^th, 2020. The new information includes the addition of two affected products:

• SITOP PSU8600; and

• TIM 1531 IRC

Industrial Products w/OPC UA Update

This update provides additional information on an advisory that was originally published on April 9th, 2019 and most recently updated on January 14^th, 2020. The new information includes updated affected version data and mitigation links for SIMATIC NET PC Software.

PROFINET Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on January 14^th, 2020. The new information includes updated affected version data and mitigation links for SINAMICS DCP.

Industrial Real Time Devices Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on January 14^th, 2020. The new information includes updated affected version data and mitigation links for SINAMICS DCP.

SIMATIC Update

This update provides additional information on an advisory that was originally published on December 10th, 2019. The new information includes updated affected version data and mitigation links for:

• TIM 1531 IRC;

• SIMATIC NET PC Software

Other Siemens Advisories and Updates

Siemens also published two additional advisories and 3 updates yesterday that have not yet been addressed by NCCIC-ICS.

Additionally, on Monday Siemens published updates of 58 previously published advisories. All of these updates were adding references to the SIPLUS device variants as affected products. Siemens has been adding references to this as they have been updating advisories for the last couple of months, so it looks like they are just doing the final house cleaning on the issue. I do not expect NCCIC-ICS to update all of their applicable advisories.

4 Advisories and 6 Updates Published – 10-08-19

Yesterday the DHS NCCIC-ICS published four control system security advisories for products from Siemens (2), GE and SMA Solar Technology. They also updated a medical device advisory for products from BD and five control system advisories for products from Siemens.

SIMATIC Advisory #1

This advisory describes a use of hard-coded cryptographic key vulnerability in the Siemens SIMATIC IT Unified Architecture Discrete Manufacturing (UADM). This vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to gain read and write access to the related TeamCenter station. The Siemens advisory notes that the remote attacker would have to be authenticated and have network access to network access to port 1434/tcp of SIMATIC IT UADM to exploit the vulnerability.

SIMATIC Advisory #2

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC WinAC RTX (F) 2010. The vulnerability was reported by Tal Keren from Claroty. Siemens has provided generic workarounds to mitigate the vulnerability. There is no indication that Keren was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to perform a denial-of-service attack that could compromise the availability of the service provided by the software.

GE Advisory

This advisory describes two vulnerabilities in the GE Mark VIe Controller. The vulnerabilities were reported by Sharon Brizinov of Claroty. GE provides generic workarounds to mitigate the vulnerability. There is no indication that Brizinov has been proved an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization - CVE-2019-13554; and

• Use of hard-coded credentials - CVE-2019-13918

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to create read/write/execute commands within the Mark VIe control system.

SMA Advisory

This advisory describes a cross-site request forgery vulnerability in the SMA Sunny WebBox. The vulnerability was reported by Borja Merino and Eduardo Villaverde of the Technical Inspection Laboratory of the Mining School (University of León). SMA provides generic workarounds for this end-of-life product. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to generate a denial-of-service condition, modify passwords, enable services, achieve man-in-the-middle, and modify input parameters associated with devices such as sensors.

BD Update

This update provides additional information on an advisory that was originally published on September 5^th, 2019. The updated information includes:

• Revised affected versions for Pyxis ES Versions; and

• New mitigation measures for all products

Industrial Product Update #1

This update provides additional information on an advisory that was originally published on September 10^th, 2019. The new information includes revised affected versions and mitigation measures for:

• SINUMERIK 840D sl;

• SINUMERIK 828D; and

• SINUMERIK 808D

NOTE: This advisory describes the Siemens response to the Linux TCP SACK PANIC vulnerabilities.

SIMATIC Update #1

This update provides additional information on an advisory that was originally published on March 9^th, 2019 and last updated on July 9^th, 2019. The new information includes:

• Renaming SIMATIC WinAC RTX 2010 to SIMATIC WinAC RTX (F) 2010;

• Updating affected version numbers for SIMATIC WinAC RTX (F) 2010; and

• Providing mitigation information for SIMATIC WinAC RTX (F) 2010

SIMATIC Update #2

This update provides additional information on an advisory that was originally published on May 20^th, 2018 and most recently updated on May 14^th, 2019. The new information includes:

• Renaming SIMATIC WinAC RTX 2010 to SIMATIC WinAC RTX (F) 2010;

• Updating affected version numbers for SIMATIC WinAC RTX (F) 2010; and

• Providing mitigation information for SIMATIC WinAC RTX (F) 2010

Industrial Products Update #2

This update provides additional information on an advisory that was originally published on December 5^th, 2017 and most recently updated on March 12^th, 2019. The new information includes:

• Renaming SIMATIC WinAC RTX 2010 to SIMATIC WinAC RTX (F) 2010;

• Updating affected version numbers for SIMATIC WinAC RTX (F) 2010; and

• Providing mitigation information for SIMATIC WinAC RTX (F) 2010

PROFINET Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and most recently updated on February 5^th, 2019. The new information includes:

• Renaming SIMATIC WinAC RTX 2010 to SIMATIC WinAC RTX (F) 2010;

• Updating affected version numbers for SIMATIC WinAC RTX (F) 2010; and

• Providing mitigation information for SIMATIC WinAC RTX (F) 2010

Other Siemens Announcements

Yesterday Siemens announced a total of five new security advisories and ten advisory updates. Some will be covered (hopefully) later this week by NCCIC-ICS and the remainder I will discuss Saturday.