Review - 14 Advisories Published – 6-8-21

Today CISA’s NCCIC-ICS published fourteen control system security advisories for products from Siemens (8), Thales, Schneider Electric (2), AVEVA, Open Design Alliance, and Johnson Controls. NCCIC-ICS also published ten updates today, they will be addressed in a separate blog post tomorrow.

Siemens Advisories

• JT2Go Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens JT2Go and Teamcenter Visualization products.

• SIMATIC Advisory #1 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC RF Products.

• Simcenter Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap products.

• SIMATIC Advisory #2 - This advisory describes fifteen vulnerabilities in the Siemens SIMATIC NET CP 443-1 OPC UA product.

• SIMATIC Advisory #3 - This advisory describes two vulnerabilities in the Siemens SIMATIC TIM 1531 IRC.

• Solid Edge Advisory - This advisory describes two out-of-bounds write vulnerability in the Siemens Solid Edge products.

• TIM Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens TIM 1531 IRC.

• Mendix Advisory - This advisory describes an insufficient verification of data authenticity vulnerability in the Siemens Mendix SAML Module.

Thales Advisory

This advisory describes an incomplete cleanup vulnerability in the Thales Sentinel LDK Run-Time Environment (RTE).

Schneider Advisories

Modicon Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider Modicon X80 product

IGSS Advisory - This advisory describes thirteen vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS).

NOTE: Schneider published four additional advisories today. If they are not addressed by NCCIC-ICS on Thursday, I will discuss them in my Public ICS Disclosure post this weekend.

AVEVA Advisory

This advisory describes a clear-text storage of sensitive information in memory vulnerability in the AVEVA InTouch 2020 R2 product.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

ODA Advisory

This advisory describes eight vulnerabilities in the ODA Drawings SDK product.

Johnson Controls Advisory

This advisory describes an improper privilege management vulnerability in the Johnson Controls Metasys Servers, Engines, and Tools.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

For a more detailed discussion of these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-published-6-8-21. Subscription required.

15 Advisories Published – 4-13-21

Today CISA’s NCCIC-ICS published 15 control systems security advisories for products Siemens (12), JTEKT, Advantech, and Schneider Electric. One of the Siemens advisories also affects products from Milestone and another also affects products from PKE.

Milestone Advisory

This advisory describes a use of hard-coded cryptographic key in the Siemens Siveillance (Milestone) Video Open Network Bridge (ONVIF). The vulnerability was reported by Milestone PSIRT. Siemens has a hot fix and Milestone has an update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server.

Nucleus Advisory #1

This advisory describes a use of insufficiently random variables vulnerability in the Siemens Nucleus DNS module. This is one of the NAME:WRECK DNS vulnerabilities reported by Forescout and JSOF. Siemens has generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to poison the DNS cache or spoof DNS resolving.

SIMOTICS Advisory

This advisory describes four vulnerabilities in the Siemens SIMOTICS CONNECT 400. The vulnerabilities were self-reported. These are NAME:WRECK vulnerabilities in the third-party Mentor DNS Module. Siemens has a new version that mitigates the vulnerabilities.

The four reported vulnerabilities are:

• Improper null termination - CVE-2020-27736,

• Out-of-bounds read - CVE-2020-27737, and

• Access of memory location after end of buffer - CVE-2020-27738 and CVE-2021-25677

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to poison the DNS cache or spoof DNS resolving.

Tecnomatix Advisory

This advisory describes an out-of-bounds write in the Siemens Tecnomatix RobotExpert. The vulnerability was reported by Francis Provencher via the Zero Day Initiative. Siemens has a new version that mitigates the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.

TIM Advisory

This advisory describes 14 vulnerabilities in the Siemens TIM 4R-IE. This is a third-party vulnerability (ntp.d in SNTP). The vulnerabilities are self-reported.

The 14 reported vulnerabilities are:

• Incorrect type conversion or cast - CVE-2015-5219,

• Improper input validation (4) - CVE-2015-7855 (exploit), CVE-2015-7705, CVE-2015-8138, and CVE-2016-1547,

• Improper authentication (2) - CVE-2015-7871 and CVE-2016-4953

• Security features - CVE-2015-7973,

• Null pointer dereference - CVE-2015-7977,

• Data processing errors (2) - CVE-2015-7979 and CVE-2016-1548,

• Exposure of sensitive information to an unauthorized actor - CVE-2016-1550, and

• Race condition - CVE-2016-4954

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to compromise the confidentiality, integrity, and availability of the device.

PKE Advisory

This advisory describes twelve vulnerabilities in the Siemens (and PKE) Control Center Server (CCS). The vulnerabilities were reported by Raphaël Rigo of Airbus Security Lab. Siemens (and PKE) has new versions that mitigate the vulnerabilities. There is no indication that Rigo has been provided an opportunity to verify the efficacy of the fix.

The 12 reported vulnerabilities are:

• Cleartext storage of sensitive information in GUI - CVE-2019-13947,

• Improper authentication (2) - CVE-2019-18337 and CVE-2019-18341

• Relative path traversal - CVE-2019-18338,

• Use of a broken or risky cryptographic algorithm - CVE-2019-18340,

• Exposed dangerous method or function - CVE-2019-18342,

• Path traversal - CVE-2019-19290,

• Cleartext storage in a file or on a disk - CVE-2019-19291,

• SQL Injection - CVE-2019-19292,

• Cross-site scripting (2) - CVE-2019-19293 and CVE-2019-19294, and

• Insufficient logging - CVE-2019-19295

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read and write arbitrary files and sensitive data and execute commands and arbitrary code.

NOTE: These vulnerabilities were removed from earlier Siemens Advisories, SSA-761617 and SSA-844761.

LOGO! Advisory

This advisory describes two vulnerabilities in the Siemens LOGO! engineering software products. The vulnerabilities were reported by Mashav Sapir from Claroty. Siemens provides generic workarounds to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Path traversal - CVE-2020-25243, and

• Uncontrolled search path element - CVE-2020-25244

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a local attacker to take over the system where the software is installed.

NOTE: Someone slipped up on the listing of ‘Equipment’ and ‘Vulnerability’ in the ‘Executive Summary’ section of the advisory.

SINEMA Advisory

This advisory describes two vulnerabilities in the Siemens SINEMA Remote Connect Server. These are third-party vulnerabilities (libxml2). Siemens has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Missing release of resource after effective lifetime - CVE-2019-19956, and

• Infinite loop - CVE-2020-7595

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to cause a memory leak or an infinite loop situation resulting in a denial-of-service condition.

SCALANCE Advisory

This advisory describes two vulnerabilities in the Siemens Web Server of SCALANCE X200. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-25668, and

• Stack-based buffer overflow - CVE-2021-25669

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause a buffer overflow condition resulting in remote code execution.

Solid Edge Advisory

This advisory describes five vulnerabilities in the Siemens Solid Edge software tools. The vulnerabilities were reported by Francis Provencher and rgod via ZDI. Siemens has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2020-28385, CVE-2021-25678, CVE-2021-27380,

• Untrusted pointer dereference - CVE-2020-26997, and

• Stack-based buffer overflow - CVE-2021-27382

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerabilities to lead to a crash, arbitrary code execution, or data extraction on the target host system.

Nucleus Advisory #2

This advisory describes two infinite loop vulnerabilities in the Siemens Nucleus products. The vulnerabilities were self-reported. Siemens has a new version for one of the affected products that mitigates the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a denial-of-service condition.

Nucleus Advisory #3

This advisory describes two vulnerabilities in the Siemens Nucleus DNS module. These are two of the NAME:WRECK DNS vulnerabilities reported by Forescout and JSOF. Siemens provides generic work arounds to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Out-of-bounds write - CVE-2020-15795, and

• Use of out-of-range pointer offset - CVE-2020-27009

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a denial-of-service condition or for the execution of code remotely.

NOTE: There were two additional Siemens’ advisories published today that were not covered by NCCIC-ICS. If they are not covered on Thursday, I will address them on Saturday.

JTEKT Advisory

This advisory describes an improper resource shutdown or release vulnerability in the JTEKT TOYOPUC products. The vulnerability was reported by Younes Dragoni from Nozomi Networks. JTEKT has provided generic mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthorized user to stop Ethernet communications between devices from being established.

Advantech Advisory

This advisory describes an incorrect permission assignment for critical resources in the Advantech WebAccess/SCADA. The vulnerability was reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs of Trend Micro. Advantech has a new version that mitigates the vulnerability. There is no indication that Toyama has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to login as an ‘admin’ to fully control the system.

Schneider Advisory

This advisory describes an improper restriction of XML external entity reference vulnerability in the Schneider SoMachine Basic products. The vulnerability was reported by Gjoko Krstikj of Applied Risk. Schneider has a new product that replaces the affected product and has updated the mitigation measures.

NOTE 1: This is actually based upon an update to a Schneider advisory that was published on May 22^nd, 2018.

NOTE 2: Schneider also published two advisories and two other updates today. If they are not covered by NCCIC-ICS on Thursday, I will address them here on Saturday.

Public ICS Disclosures – Week of 9-19-20

This week we have two vendor disclosures about the CodeMeter vulnerabilities from Bosch and 3S. There are four vendor disclosures for products from Mitsubishi (2), Yokogawa, and Eaton. We also have two researcher reports for vulnerabilities in products from Siemens and Aveva.

CodeMeter Advisories

Bosch published an advisory describing the CodeMeter vulnerabilities in their Rexroth Products. Bosch recommends updating the CodeMeter software. One Bosch update is available to mitigate the vulnerabilities.

3S published an advisory [.PDF download link] describing the CodeMeter vulnerabilities in a number of their products. 3S has new versions of CODESYS V3 that mitigates the vulnerability.

NOTE: This advisory would seem to indicate that the universe of vulnerable products is much larger than previously thought. Vendors using CODESYS products would not have known to check for the CodeMeter vulnerability in their systems.

Mitsubishi Advisories

Mitsubishi published an advisory describing a TCP/IP stack session management vulnerability in a number of their products. The vulnerabilities were reported by Ta-Lun Yen of Trend Micro via the Zero Day Initiative. Mitsubishi has new versions that mitigate the vulnerability in many of the affected products. There is no indication that Ta-Lun has been provided an opportunity to verify the efficacy of the fix.

Mitsubishi published an advisory describing the Ripple20 vulnerabilities in the WiFi interface for a number of their products. Mitsubishi provides generic workarounds for the vulnerabilities.

NOTE: There is no overlap in the product lists for the two advisories which would indicate that two different TCP/IP stacks are being used.

Yokogawa Advisory

Yokogawa published an advisory describing a classic buffer overflow vulnerability in their  FA-M3 Programming Tool. The vulnerability has been reported by Parity Dynamics. Yokogawa has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory

Eaton published an advisory describing an uncontrolled search path element vulnerability in their 9000x programing and configuration software. The vulnerability was reported by Yongjun liu. Eaton has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.

Siemens Report

Otorio published a blog post describing two vulnerabilities in the Siemens PCS 7 products. According to the post Siemens will provide instruction to avoid the vulnerabilities in the “next update of SIMATIC PCS 7 Compendium Part F”.

The two reported vulnerabilities are:

• A WinCC configuration flaw, and

• A PCS 7 configuration flaw.

NOTE: I cannot find a Siemens advisory that addresses similarly described vulnerabilities, but without a CVE number I cannot really be sure that Siemens has not addressed them.

Aveva Report

Talos published a report describing three vulnerabilities in the Aveva Enterprise Data Management Web data management platform. These vulnerabilities were previously disclosed by Aveva. The Talos report includes proof-of-concept code.

5 Advisories and 1 Update Published

Today the CISA NCCIC-ICS published five control system security advisories for products from KUKA, Fuji Electric, HMS Networks, GE Digital and Advantech. They also updated an advisory for products from Synergy.

KUKA Advisory

This advisory describes an improper enforcement of message integrity in a communications channel vulnerability in the KUKA Sim Pro. The vulnerability was reported by Federico Maggi of Trend Micro. KUKA has an upgrade that mitigates the vulnerability. There is no indication that Maggi has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in a loss of integrity in external 3D models fetched from remote servers. When tested on real machines, this effect is unpredictable.

Fuji Advisory

This advisory describes a heap-based buffer overflow vulnerability in the Fuji V-Server Lite. The vulnerability was reported by kimiya via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain elevated privileges for remote code execution.

HMS Advisory

This advisory describes a cross-site scripting vulnerability in the HMS eWON Flexy and Cosy. The vulnerability was reported by Ander Martínez of Titanium Industrial Security. HMS has a firmware update that mitigates the vulnerability. There is no indication that Martinez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to initiate a password change.

NOTE: I briefly discussed this vulnerability back in February.

GE Advisory

This advisory describes an improper privilege management vulnerability in the GE Digital CIMPLICITY HMI/SCADA product. The vulnerability was reported by Sharon Brizinov of Claroty. GE has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an adversary to modify the systemwide CIMPLICITY configuration, leading to the arbitrary execution of code.

NOTE: I briefly discussed this vulnerability last weekend.

Advantech Advisory

This advisory describes eight vulnerabilities in the Advantech WebAccess/NMS network management system. The vulnerability was reported by rgod of 9sg via ZDI. Advantech has a new version that mitigates the vulnerability. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The eight reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-10621;

• SQL injection (2) - CVE-2020-10617 and CVE-2020-10623;

• Relative path traversal (2) - CVE-2020-10619 and CVE-2020-10631;

• Missing authentication for critical function - CVE-2020-10625;

• Improper restriction of XML external entity reference -CVE-2020-10629; and

• OS command injection - CVE-2020-10603

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain remote code execution, upload files, delete files, cause a denial-of-service condition, and create an admin account for the application.

Synergy Update

This update provides new information on an advisory that was originally published on February 11^th, 2020. The new information includes:

• Four new vulnerabilities:

◦ Missing authentication for critical function - CVE-2019-16879;

◦ Improper check for unusual or exceptional conditions - CVE-2020-7800;

◦ Exposure of sensitive information to an unauthorized actor - CVE-2020-7801; and

◦ Incorrect default permissions - CVE-2020-7802

• Links to three associated advisories from SSS (here, here and here)

Public ICS Disclosures – Week of 06-30-18

This week we have four vendor reports of vulnerabilities {Siemens, ABB, and PEPPERL+FUCHS (2)} and exploits for two previously reported vulnerabilities (Cisco and Delta Industrial)

Siemens Advisory

This advisory describes six vulnerabilities in the Siemens SICLOCK TC devices. These vulnerabilities are being self-reported. The products are at end-of-life and thus Siemens is just providing workarounds for these vulnerabilities (and probably explains why they have not reported this to ICS-CERT).

Siemens reports that the vulnerabilities could be exploited by an attacker with network access to the device to allow an attacker to cause Denial-of-Service conditions, bypass the authentication, and modify the firmware of the device or the administrative client.

ABB Advisory

This advisory describes a file parser vulnerability in the ABB Panel Builder 800 products. The vulnerability was reported by Michael DePlante of Leahy Center for Digital Investigation and Michael Flanders of Trend Micro. ABB is working on an update for this product, but has provided workarounds to mitigate the vulnerability.

ABB notes that a social engineering attack is required to exploit the product. A successful exploit would allow the attacker to insert and run arbitrary code on a computer where the affected product is used.

NOTE: There was a second advisory reported on the ABB web site for their Sentinel HASP/LDK License Manager, but the some sort of problem with the link provided.

PEPPERL+FUCHS Advisories

The first advisory addresses the Spectre and Meltdown vulnerabilities in their ecom mobile devices. This is separate from their previously reported Spectre/Meltdown advisory for their HMI products. That other advisory is listed in the most recent ICS-CERT alert update.

The advisory notes that firmware updates will be released for the affected products.

The second advisory describes a remote code execution vulnerability in the PEPPERL+FUCHS HMI products. The vulnerability was reported by Eyal Karni, Yaron Zinar, Roman Blachman @ Preempt, Research Labs. This vulnerability is in a third-party product, Microsoft's Credential Security Support Provider. PEPPERL+FUCHS has provided updates for some of the affected products and recommended using the Microsoft Windows update for the remaining Windows 7 or Windows 10 based systems.

Cisco Exploit

Yassine Aboukir published exploit code on ExploitDB.com for a path traversal vulnerability in the Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability was most recently reported by ICS-CERT as a third party vulnerability in the Rockwell Allen-Bradley Stratix 5950.

Delta Industrial Exploit

t4rkd3vilz published exploit code on ExploitDB.com for a stack-based buffer overflow vulnerability in the Delta Industrial Automation COMMGR. This vulnerability was reported by ICS-CERT on June 21^st, 2018.