Review – 3 Advisories and 1 Update Published – 8-17-21

 Today CISA’s NCCIC-ICS published three control system security advisories for products from xArrow, Advantech, and ThroughTek. They also updated an advisory for products for multiple RTOS.

xArrow Advisory - This advisory describes three vulnerabilities in the xArrow SCADA/HMI.

Advantech Advisory - This advisory describes an improper authentication vulnerability in the Advantech WebAccess network management system (NMS).

ThroughTek Advisory - This advisory describes an improper access control vulnerability in their Kalay P2P software development kit (SDK).

Multiple RTOS Update - This update provides additional information for an advisory that was originally published on April 29^th, 2021 and most recently updated on May 20^th, 2021.

NOTE: CISA’s National Cyber Awareness System (NCAS) published a separate advisory for the BlackBerry BadAlloc vulnerabilities covered in this Update.

 

For more details about these advisories, including links to proof-of-concept code and plenty of editorial notes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published - subscription required.

Two DHS ICS-CERT Advisories

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two advisories for control system vulnerabilities identified in Measuresoft’s SCADAPRO and the xArrow Software HMI system. Alert readers will note that the xArrow Advisory is an update from an earlier xArrow Alert.

Measuresoft Advisory

Measuresoft is an Irish SCADA manufacturer and this advisory is based upon an uncontrolled search path element vulnerability (DLL hijack) reported by Carlos Mario Penagos Hollmann in a coordinated disclosure. The vulnerability could be remotely exploited by a moderately skilled attacker; possibly resulting in execution of arbitrary code.

Measuresoft has produced upgrades for both its ScadaPro Server and Client. According to the Advisory Hollmann has verified that the upgrades appropriately mitigate the vulnerability.

xArrow Advisory

xArrow Software is a Chinese software development firm. The four vulnerabilities were identified in their HMI by Luigi back in March and reported in an uncoordinated disclosure. The vulnerabilities listed are:

• Null pointer de-reference;

• Heap-based buffer overflow;

• Out-of-bounds read; and

• Improper restriction of operations within the bounds of the memory buffer.

The Advisory states that; “No known exploits specifically target these vulnerabilities.” This contradicts what ICS-CERT said in their original Alert and Luigi is well known for having exploit code on his web site (and it looks like exploit code to me for this disclosure). This is probably one of those formatting mistakes (using a canned format for the Advisory) rather than a deliberate misstatement on the part of ICS-CERT.

Missed Alert and Advisory

I did not report on an alert and an advisory published by ICS-CERT last week. The alert was for another Luigi uncoordinated disclosure for multiple (4) vulnerabilities in the Pro-Face Pro-Server SCADA/HMI product. The advisory was a follow-up to an earlier alert about a buffer overflow vulnerability in the Advantech Studio, an automation tool used to develop HMI and SCADA systems. There is no telling what sytems Studio has been used to develop of if any have been compromised through this vulnerability.

Another Luigi HMI Alert

This afternoon the DHS ICS-CERT published an alert for multiple SCADA-HMI vulnerabilities reported by Luigi in the xArrow SCADA-HMI application. The four reported vulnerabilities are:

• Decompression NULL Pointer;

• Heap Corruption;

• Invalid Read Access; and

• Memory Corruption

The alert notes that the vulnerabilities are all remotely exploitable and proof-of-concept code is available on the Luigi web site (NOTE: ICS-CERT does not provide a link to that site).

Interestingly there is another SCADA vulnerability listed on the Luigi web site that was published on the same day (March 2^nd, 2012) as the xArrow vulnerability. That vulnerability is reported in the Beckhoff TwinCAT system; it is an integer overflow vulnerability in the TCatScopeView application. I wonder why there isn’t an ICS-CERT alert for that vulnerability, unless, of course, there is already another, coordinated disclosure, in the works for that vulnerability.