3 Advisories and 1 Update Published – 7-2-20

Today the CISA NCCIC-ICS published two control system security advisories for products from ABB and Nortek and a medical device security advisory for products from OpenClinic. They also updated an advisory for products from Johnson Controls.

ABB Advisory

This advisory describes a cross-site scripting vulnerability in the ABB System 800xA Information Manager. The vulnerability was reported by William Knowles of Applied Risk. ABB has versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to inject and execute arbitrary code on the information manager server.

NOTE 1: An interesting process safety note can be found in the ABB Advisory:

“Under certain conditions exploits of this vulnerability may affect the integrity of safety functions in System 800xA. This is however prevented if the Access Enable key in the AC800MHI is turned Off (“disabled”) and Access Level for the variables in the safety applications are configured to ‘Read Only’ or ‘Confirm and Access Enable’”

NOTE 2: I briefly discussed this vulnerability back in April.

Nortek Advisory

This advisory describes five vulnerabilities in the Nortek Linear eMerge 50P/5000P. The vulnerabilities were reported by Gjoko of Applied Risk. Nortek has a new version that mitigates the vulnerabilities. There is no indication that Gjoko has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Path traversal - CVE-2019-7267,

• Command injection - CVE-2019-7269,

• Unrestricted upload of file with dangerous type - CVE-2019-7268,

• Cross-site request forgery - CVE-2019-7270, and

• Improper authentication - CVE-2019-7266

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain full system access.

NOTE 1: The Applied Risk advisory also describes a default credentials vulnerability (CVE-2019-7271) in this product.

NOTE 2: There is at least one publicly available exploit for vulnerabilities described in this advisory.

OpenClinic Advisory

This advisory describes 12 vulnerabilities in the OpenClinic GA, an open-source integrated hospital information management system. The vulnerabilities were reported by Brian D. Hysell. NCCIC-ICS has not received any confirmation of mitigation measures from OpenClinic GA.

The twelve reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2020-14485,

• Improper restriction of excessive authentication attempts - CVE-2020-14484,

• Improper authentication - CVE-2020-14494,

• Missing authorization - CVE-2020-14491,

• Execution with unnecessary privileges - CVE-2020-14493,

• Unrestricted upload of file with dangerous type - CVE-2020-14488,

• Path traversal - CVE-2020-14490,

• Improper authorization - CVE-2020-14486,

• Cross-site scripting - CVE-2020-14492,

• Use of unmaintained third-party components - CVE-2020-14495,

• Insufficiently protected credentials - CVE-2020-14489, and

• Hidden functionality - CVE-2020-14487

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code to remotely exploit these vulnerabilities to allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.

Johnson Controls Update

This update provides additional information on an advisory that was originally published on June 18^th, 2020. The new information includes corrected version information and mitigation measures.

NCCIC-ICS Update Listings

NCCIC-ICS did not list this latest update on either the ‘Industrial Control Systems’ or the ‘ICS-Archive’ pages. Since this has happened on two consecutive disclosure days, it would appear that this is a change in policy. Since they are still (for the time being at least) reporting this updates on their emails and TWEETS®. You can signup for their email alerts at the bottom of the landing page and/or follow their TWEETS @ICS-CERT.

3 Advisories and 5 Updates Published – 6-23-20

Yesterday the CISA NCCIC-ICS published three control system security advisories for products from ABB, Honeywell and Mitsubishi Electric. They updated five medical device security advisories for products from BD and Baxter (4).

ABB Advisory

This advisory describes an insecure storage of sensitive information vulnerability in the ABB Device Library Wizard. The vulnerability was reported by William Knowles of Applied Risk. ABB has new versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to  allow a low-level user to escalate privileges and fully compromise the device.

Honeywell Advisory

This advisory describes two cleartext transmission of sensitive information vulnerabilities in the Honeywell ControlEdge PLC and RTU. The vulnerabilities were reported by Nikolay Sklyarenko of Kaspersky. Honeywell provides a document (login required) describing the mitigation measures for these vulnerabilities. There is no indication that Sklyarenko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain passwords and session tokens.

Mitsubishi Advisory

This advisory describes a cleartext transmission of sensitive information vulnerability in the Mitsubishi MELSEC CPU modules. The vulnerability was reported by Shunkai Zhu, Rongkuan Ma and Peng Cheng from NESC Lab. Mitsubishi provides generic mitigation measure.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow information disclosure, information tampering, unauthorized operation, or a denial-of-service condition.

NOTE: NCCIC-ICS did not publish the link to the Mitsubishi advisory.

BD Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the BD advisory.

Sigma Spectrum Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

Phoenix Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

PrismaFlex Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisories (PrismaFlex and PrisMax).

ExactaMix Update

This update provides additional information for an advisory that was originally reported on June 18^th, 2020. The new information includes the link to the Baxter advisory.

6 Advisories and 1 Update Published – 6-2-20

Today the CISA NCCIC-ICS published six control system security advisories for products from ABB (4), GE and SWARCO Traffic Systems. They also updated an advisory for products from Inductive Automation

System 800xA Advisory

This advisory describes two incorrect default permissions vulnerabilities in the ABB System 800xA. The vulnerabilities were reported by William Knowles of Applied Risk. ABB provides generic work arounds to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to escalate privileges, cause system functions to stop, and corrupt user applications.

NOTE: I briefly described these vulnerabilities in early April.

System 800xA Base Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the ABB System 800xA Base. The vulnerabilities were reported by William Knowles of Applied Risk. ABB has a new version that mitigates the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate privileges and cause system functions to stop or malfunction.

NOTE: I briefly described these vulnerabilities in early April and then I discussed the ABB update later that month. The updated version is being reported by NCCIC-ICS.

System 800xA Products Advisory

This advisory describes seven incorrect default permission vulnerabilities in various ABB System 800xA products. The vulnerabilities were reported by William Knowles of Applied Risk. NCCIC-ICS reports that ABB plans to correct these vulnerabilities in a future version.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to make the system node inaccessible or tamper with runtime data in the system.

NOTE: I briefly described these vulnerabilities in early April and then I discussed the ABB update later that month. The updated version is being reported by NCCIC-ICS.

Central Licensing System Advisory

This advisory describes five vulnerabilities in the ABB Central Licensing System. The vulnerabilities were reported by William Knowles of Applied Risk. ABB has new versions that mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Information exposure - CVE-2020-8481,

• Improper restriction of XML external entity reference - CVE-2020-8479,

• Uncontrolled resource consumption - CVE-2020-8475,

• Permissions, privileges and access controls - CVE-2020-8476, and

• Improper access controls - CVE-2020-8471

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to take control of the affected system node remotely and cause an affected CLS Server node to stop or prevent legitimate access to the affected CLS Server.

I briefly reported these vulnerabilities in late April.

GE Advisory

This advisory describes a missing authentication for critical function vulnerability in the GE Grid Solutions Reason RT Clocks. The vulnerability was reported by Ehab Hussein of IOActive. GE has a new firmware version that mitigates the vulnerability. There is no indication that Hussein has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow access to sensitive information, execution of arbitrary code, and cause the device to become unresponsive.

SWARCO Advisory

This advisory describes an improper access control vulnerability in the SWARCO CPU LS4000. The vulnerability was reported by Martin Aman of ProtectEM. SWARCO has a patch that mitigates the vulnerability. There is no indication that Aman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow access to the device and disturb operations with connected devices.

I briefly discussed this vulnerability last Saturday.

Inductive Automation Update

This update provides additional information on an advisory that was originally published on May 26^th, 2020. The new information includes adding Ignition 7 Gateway to the list of affected products and providing mitigation measures for that product.

Verifying Fixes

I got some interesting feedback on a phrase in yesterday’s post about advisories from NCCIC-ICS; in particular the common sentence in too many of my responses: “There is no indication that Knowles [substitute the name of the current security researcher reporting the vulnerability] has been provided an opportunity to verify the efficacy of the fix.”

First, I got a TWITTER® DM from a long-time reader associated with OSIsoft, the subject of one of the advisories discussed yesterday. That DM informed me that while NCCIC-ICS did not routinely comment on researcher verification efforts, the OSIsoft advisory did include such language in this instance. Unfortunately, I cannot see that advisory since it is behind a customer only firewall. In any case, it seems (see below) that OSIsoft was actively involved in allowing researcher verification of the fix reported in this instance and are to be commended for that.

This in turn led to a series of emails from folks at Applied Risk, the company reporting the OSIsoft vulnerabilities. They confirmed that OSIsoft had actively worked with them to allow verification of the fixes announced in Tuesday’s advisory. In fact, according to William Knowles, the researcher involved in the situation, OSIsoft went so far as to provide a temporary license for the software to help Applied Risk in their evaluation.

Knowles went on to say:

“Verification of fixes of course always a good thing, but it really depends on whether software access is still available.  As you’ll know, getting access to this software isn’t always easy (expensive price tags, no trials, etc), and initial exposure often comes through consultancy work in third party environments. That access is often very transient.  At that point it all depends on the institutional openness and willingness of the vendor, and furthermore, who you’re even dealing with at the vendor on an individual level, and if they have the capability of dishing out temporary licenses and links to software downloads.  That isn’t always easy; however, in the case of OSIsoft it was, as the process was encouraged from their side.”

We have seen a number of instances where ‘fixed’ vulnerabilities had to be re-fixed at a later date when it was determined that the vulnerability still existed. I noted yesterday that the 3S update published by NCCIC-ICS was apparently one of those situations. If more researchers were involved in fix verification, this problem would be greatly reduced. For the vendors involved it would also demonstrate their commitment to work with the independent researcher community in identifying and fixing security vulnerabilities.

I will continue to call out vendors when they do not support researchers in this manner. And, of course, I will give credit when it is due.

2 Advisories and 7 Updates Published

Yesterday the CISA NCCIC-ICS published two control system security advisories for products from OSIsoft and Eaton. They also updated previously published advisories for products from 3S, Interpeak, and Siemens (5).

OSIsoft Advisory

This advisory describes ten vulnerabilities in the OSIsoft PI System. The vulnerabilities were reported by William Knowles at Applied Risk. OSIsoft provides workarounds to mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix. Applied Risk has verified that Knowles was provided an opportunity to verify the efficacy of the fix (see https://chemical-facility-security-news.blogspot.com/2020/05/verifying-fixes.html) [5-14-20 8:00 EDT]

The ten reported vulnerabilities are:

• Uncontrolled search path element - CVE-2020-10610,

• Improper verification of cryptographic key - CVE-2020-10608,

• Incorrect default permissions - CVE-2020-10606,

• Uncaught exception - CVE-2020-10604,

• Null pointer dereference (2) - CVE-2020-10602 and CVE-2020-10600,

• Improper input validation - CVE-2019-10768,

• Cross-site scripting (2) - CVE-2020-10600 and CVE-2020-10614, and

• Insertion of sensitive information into log file - CVE-2019-18244

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to access unauthorized information, delete or modify local processes, and crash the affected device.

Eaton Advisory

This advisory describes two vulnerabilities in the Eaton Intelligent Power Manager software monitoring and management platform. The vulnerability was reported by Sivathmican Sivakumaran of Trend Micro’s Zero Day Initiative. Eaton has a new version that mitigates the vulnerability. There is no indication that Sivakumaran has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2020-6651, and

• Incorrect privilege assignment - CVE-2020-6652

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to perform command injection or code execution and allow non-administrator users to manipulate the system configurations.

3S Update

This update provides additional information for an advisory that was originally reported on September 12^th, 2019. The new information includes a link to an even newer version that more completely mitigates the vulnerability.

NOTE: This is part of the reason that advocate for the researchers that discovered the vulnerability being provided a specific opportunity to verify the efficacy of the reported fix.

Interpeak Update

This update provides additional information for the Urgent/11 advisory that was originally published on October 1^st, 2019 and most recently updated on February 18^th, 2020. The new information includes a link to the new Siemens Power Meters advisory that was published today.

SIPROTEC Update

This update provides additional information for an advisory that was originally published on July 9^th, 2019 and most recently updated on December 10^th, 2019. The new information includes affected version numbers and mitigation links for SIPROTEC 5 device types 7SS85 and 7KE85.

SINAMICS Update

This update provides additional information for an advisory that was originally published on August 15^th, 2019 and most recently updated on December 10^th, 2019. . The new information includes affected version numbers and mitigation links for SINAMICS SL150 V4.8.

SIMATIC Update

This update provides additional information for an advisory that was originally published on February 11^th, 2020 and most recently updated on April 14^th, 2020. The new information includes affected version numbers and mitigation links for SIMATIC NET PC Software.

KTK Update

This update provides additional information for an advisory that was originally published on April 14^th, 2020. The new information includes the addition of the SIMATIC S7-400 H V6 CPU family to the list of affected products.

RUGGEDCOM Update

This update provides additional information for an advisory that was originally published on April 14^th, 2020. The new information includes the removal of  IE/PB-Link V3 from the list of affected products.

Other Advisories

Siemens published one additional update that was not covered by NCCIC-ICS yesterday. I will address that on Saturday.

Schneider has also joined the 2^nd Tuesday patch club. They published 3 new advisories and 4 updates that I will also address on Saturday.

Public ICS Disclosure – Week of 4-18-20

This week we have 8 vendor advisories for products from ABB (4), Johnson Controls, Rockwell, BD and Eaton; as well as 3 updated advisories for products from ABB. There are also 3 researcher disclosures for products from P5, Rockwell and Siemens.

ABB Advisories

ABB published an advisory describing a path traversal vulnerability in their UPS Adapter CS141. The vulnerability was reported by Eduardo Cataño Conde. ABB has a new version that mitigates the vulnerability. There is no indication that Conde has been provided an opportunity to verify the efficacy of the fix.

ABB published an advisory describing five vulnerabilities in their ABB Central Licensing System. The vulnerabilities were reported by William Knowles at Applied Risk. ABB will be preparing product specific advisories for these vulnerabilities.

The five reported vulnerabilities are:

• Information disclosure - CVE-2020-8481;

• XML external entity injection - CVE-2020-8479;

• Denial of service - CVE-2020-8475;

• Privilege elevation - CVE-2020-8476; and

• Weak file permissions - CVE-2020-8471

ABB published an advisory describing the impact of their Central Licensing System Vulnerabilities (see above) on their System 800xA, Compact HMI and Control Builder Safe products. A new version of the Central Licensing System is available that mitigates some of the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

ABB published an advisory describing Inter process communication vulnerability in System 800xA. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has provided generic workarounds to mitigate the vulnerability while working on product updates. NOTE: ABB has requested separate CVE numbers for each affected product based upon varying levels of risk in the products.

NOTE: The ABB Alerts and Notifications page also lists two advisories for products from B&R. I have not covered them here because they were covered when they were released by B&R.

Johnson Controls Advisory

Johnson Controls published an advisory describing an XML external entity injection vulnerability in their BCPro Workstation and Building Configuration Tool (BCT) software. The vulnerability is self-reported. Johnson Controls has a patch that mitigates the vulnerability.

Rockwell Advisory

Rockwell published an advisory describing eight third-party vulnerabilities in their FactoryTalk product. The vulnerabilities are in the Gemalto Sentinal LDK Runtime Environment. The Sentinal LDK vulnerabilities were reported by Kaspersky in January of 2018. Rockwell has a new version that mitigates the vulnerabilities.

BD Advisory

BD published an advisory describing a third-party vendor outdated certificate vulnerability in a large number of their products. The problem was identified by ESET in some of their legacy products. BD is working on validating the ESET update.

Eaton Advisory

Eaton published an advisory describing a third-party vendor stack-based buffer overflow vulnerability in their products  supporting DNP3 Protocol. The Triangle MicroWorks vulnerability was reported by NCCIC-ICS (ICSA-20-105-02) last week. Eaton provided generic workarounds while it is evaluating the vulnerability and its effects on their products.

ABB Updates

ABB published an update for their System 800xA Weak File Permissions advisory that was originally published on April 2^nd, 2020. The new information includes an added FAQ question on functional safety.

ABB published an update for their System 800xA Information Manager advisory that was originally published on April 2^nd, 2020. The new information includes an added FAQ question on functional safety. (NOTE: includes statement that: “Under certain conditions exploits of this vulnerability may affect the integrity of safety functions in System 800xA.”)

ABB published an update for their System 800xA Weak Registry Permissions advisory that was originally published on April 2^nd, 2020. NOTE: The ABB Alerts and Notifications page says that this advisory was updated on “2020-04-21” like the previous 2, but the link takes one to the original advisory with no changes. I suspect that the update should include the same added FAQ question seen in the two updates described above. The difference would be in the answer to that FAQ.

Researcher Disclosures

Zero Science published a report describing a stored cross-site scripting vulnerability in the P5 FNIP-8x16A eight channel relay module. The report includes links to an exploit published by LiquidWorm. Zero Science has attempted to contact P5 but has received no response.

Applied Risk published a report describing an insecure registry permissions vulnerability in the Rockwell RSLinx Classic. This vulnerability was reported by NCCIC-ICS on April 9^th, 2020.

Applied Risk published a report describing an insecure file permissions vulnerability in the Siemens TIA Portal. This vulnerability was reported by NCCIC-ICS on January 14^th, 2020 and subsequently updated on April 14^th.

Public ICS Disclosures – Week of 3-28-20

This week we have eight vendor disclosures for products from PEPPERL+FUCHS, ABB (4), B&R Automation, GE Digital and BD and updates for two previous vendor disclosures from 3S.

PEPPERL+FUCHS Advisory

VDE CERT published an advisory describing a time-of-check time-of-use race condition vulnerability in the PEPPERL+FUCHS Tab-Ex 02 mobile device. This is the third party 'Kr00k' vulnerability affecting encrypted WiFi traffic and PEPPERL+FUCHS reports that this is the only device of theirs that is vulnerable. PEPPERL+FUCHS plans on releasing an update to mitigate this vulnerability in May 2020.

NOTE: This vulnerability affects a variety of Broadcom and Cypress chipsets.

ABB Advisories

ABB published an advisory describing two weak file permission vulnerabilities in their System 800xA. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has new versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

ABB published an advisory describing four vulnerabilities in their Telephone Gateway. The vulnerabilities were reported by Maxim Rupp. The product was phased out in 2015 and there are no plans to mitigate the vulnerability.

The four reported vulnerabilities are:

• Improper authentication and access control - CVE-2019-19104;

• Unprotected storage of credentials - CVE-2019-19105;

• Permissions, privileges and access control - CVE-2019-19106; and

• Information exposure - CVE-2019-19107

ABB published an advisory describing a remote code execution vulnerability in their System 800xA information manager. The vulnerability was reported by William Knowles at Applied Risk. An update to mitigate this vulnerability will be included in the next product release.

ABB published an advisory describing a weak registries permission vulnerability in their System 800xA. The vulnerability was reported by William Knowles at Applied Risk. ABB has a new version that mitigates the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

B&R Advisory

B&R published an advisory describing a race condition vulnerability in a variety of their products. This is the third-party vulnerability, the Intel TPM Fail. B&R has bios patches available to mitigate the vulnerability.

GE Advisory

GE published an advisory describing a privilege escalation vulnerability in their CIMPLICITY HMI/SCADA product. The vulnerability was reported by Claroty. GE has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

BD Advisory

BD published an advisory describing three remote code execution vulnerabilities on a variety of BD products. These are third-party Microsoft vulnerabilities in the Remote Desktop services. BD reports that it is currently working to test and validate the Microsoft patch for their products.

The three reported vulnerabilities (links are to MS reports on the vulnerability) are:

• CVE-2020-0609;

• CVE-2020-0610; and

• CVE-2020-0611 

3S Updates

3S published an update [.PDF download link] for an advisory that was originally published on March 25^th, 2020. The new information includes reporting the availability of publicly available proof-of-concept exploit code that I reported last week.

3S published an update [.PDF download link] for an advisory that was originally published on March 25^th, 2020. The new information includes reporting the availability of publicly available proof-of-concept exploit code that I reported last week.

Commentary

There are a lot of ‘third-party’ vulnerabilities being reported this week; all in systems that are likely to be found in products from other vendors. This is especially true when the ‘third-party’ is a major player like Intel or Microsoft.