6 Advisories and 2 Updates Published – 11-14-19

Yesterday the CISA NCCIC-ICS published five control system security advisories for products from ABB, Omron and Siemens (3); and one medical device security advisory for products from Philips. They also updated two previously published advisories for products from Siemens.

ABB Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the ABB Power Generation Information Manager (PGIM) and Plant Connect monitoring platforms. This vulnerability was reported by Rikard Bodforss. ABB reports that PGIM will transition to a limited support phase in January 2020, and Plant Connect is already obsolete.

NCCIC reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to bypass authentication and extract credentials from the device.

NOTE: I briefly reported on this vulnerability earlier this month.

Omron Advisory

This advisory describes a use of obsolete function vulnerability in the Omron CX-Supervisor. The vulnerability was reported by Michael DePlante of the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in information disclosure, total compromise of the system, and system unavailability.

Desigo PX Advisory

This advisory describes an external control of assumed immutable web parameter vulnerability in the Siemens Desigo PX automation controllers. The vulnerability was reported by Gjoko “LiquidWorm” Krstic from Zero Science Lab. Siemens has updates that mitigate the vulnerability. There is no indication that Kristic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition on the device’s web server, requiring a reboot to recover the web interface.

S7-1200 Advisory

This advisory describes an exposed dangerous method or function vulnerability in the Siemens S7-1200 CPU. The vulnerability was reported by Ali Abbasi from Ruhr University of Bochum. Siemens has provided generic workarounds for this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to  expose additional diagnostic functionality to an attacker with physical access to the UART interface during boot process. The Siemens advisory notes that the attacker must have physical access to the UART interface during boot process to exploit the vulnerability (feature).

NOTE: I briefly discussed this vulnerability last weekend.

Mentor Nucleus Advisory

This advisory describes an improper input validation vulnerability in the Siemens Mentor Nucleus Networking Module. The vulnerability was reported by Armis. Siemens has updates that mitigate the vulnerability. There is no indication that Armis was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to affect the integrity and availability of the device. According to the Siemens advisory adjacent network access (but no authentication and no user interaction) is required to exploit the vulnerability

Philips Advisory

This advisory describes an inadequate encryption strength vulnerability in the Philips IntelliBridge EC40 and EC80 data transfer devices. The vulnerability was reported by The Medical Technology Solutions team of NewYork-Presbyterian Hospital. Philips has provided generic workarounds while developing formal mitigation.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker unauthorized access to the IntelliBridge EC40/80 hub and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data.

PROFINET Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019. The new information includes new affected version information and mitigation measures for:

• SINAMICS S120 V4.7;

• SINAMICS S150;

• SINAMICS G130 V4.7;

• SINAMICS G150; and

• SINAMICS SL150 V4.7

Industrial Products Update

This update provides additional information on an advisory that was was originally published on September 10^th, 2019 and most recently updated on October 8^th, 2019. The new information includes:

• Updated version information and mitigation link for SIMATIC MV500; and

• Removed SIMATIC RF166C from affected products.

Other Siemens Updates

On Tuesday Siemens also published two other advisory updates that have not yet been addressed by NCCIC-ICS, nor do I expect them to be addressed as the underlying vulnerabilities have not been reported by NCCIC-ICS. I will report on them tomorrow.

ICS-CERT Publishes an Advisory and an Update

Today the DHS ICS-CERT published a new control system security advisory for products from Rockwell. They also published an update to a control system security advisory for products from Delta Electronics.

Rockwell Advisory

This advisory describes an unquoted search path or element vulnerability in the Rockwell RSLinx Classic and FactoryTalk Linx Gateway. The vulnerability was reported byGjoko Krstic of Zero Science Lab. Rockwell has new versions available that mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an authorized, but non-privileged local user to execute arbitrary code and allow a threat actor to escalate user privileges on the affected workstation.

NOTE: The advisory points to an older Rockwell description of an unquoted search path vulnerability and how it works.

Delta Update

This update provides additional information on an advisory that was originally published on May 17^th, 2018. The revised version provides a link to a new version that mitigates the vulnerability and additional NCCIC recommendations for generic mitigation measures.

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from SpiderControl (2) and Automated Logic Corporation.

SCADA Web Server Advisory 

This advisory describes a path traversal vulnerability in the SpiderControl SCADA Web Server. The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative (ZDI). SpiderControl has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain read access to system files through directory traversal.

SCADA MicroBrowser Advisory

This advisory describes a stack-based buffer overflow vulnerability in the SpiderControl SCADA MicroBrowser. The vulnerability was reported by Karn Ganeshen via ZDI. SpiderControl has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain access to the system, manipulate system files, and potentially render the system unavailable.

Automated Logic Advisory

This advisory describes three vulnerabilities in the ALC WebCTRL, i-Vu, and SiteScan Web. The vulnerabilities were reported by Gjoko Krstic from Zero Science Lab. ALC has produced patches that mitigate the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Unquoted search path or element - CVE-2017-9644;

• Path traversal - CVE-2017-9640; and

• Unrestricted upload of file with dangerous type - CVE-2017-9650

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to elevate his or her privileges to execute arbitrary code on the system.