11 Advisories and 1 Update Published – 1-12-23
Today, CISA’s NCCIC-ICS published eleven control system security advisories for products from Siemens (4), Johnson Controls, SAUTER Controls, Panasonic, InHand Networks, RONDS, Sewio, and Hitachi Energy. They also updated a medical device security advisory for products from Philips. Siemens published two other advisories on Tuesday that were not addressed by NCCIC-ICS, I will cover them this weekend.
NOTE: NCCIC-ICS added a notice to each of the four Siemens advisories published today that: “Beginning January 10, 2023, CISA will no longer be updating historical security advisories for Siemens product vulnerabilities. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).” This will result in a significant reduction in the workload for NCCIC-ICS in the week of Patch Tuesday.
Siemens Advisory #1
This advisory describes a cross-site scripting vulnerability in the Siemens Mendix SAML Module. The vulnerability is self-reported. Siemens has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain sensitive information by tricking users into accessing a malicious link.
Siemens Advisory #2
This advisory describes a missing immutable root of trust in hardware vulnerability in the Siemens S7-1500 CPU product family. The vulnerability was reported by Yuanzhe Wu and Ang Cui from Red Balloon Security. Siemens provides generic mitigation measures. The Siemens advisory reports that no fix is currently planned for the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker with physical access to the device to replace the boot image of the device and execute arbitrary code.
Siemens Advisory #3
This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens Solid Edge product. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code while parsing files in different formats.
NOTE: The Siemens advisory notes that the vulnerability was reported by Michael Heinz of AweSec.
Siemens Advisory #4
This advisory describes two vulnerabilities in the Siemens Automation License Manager (ALM). The vulnerabilities were reported by Eran Jacob from OTORIO. Siemens has a new version that mitigates the vulnerability. There is no indication that Jacob has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
External control of file name or path - CVE-2022-43513, and
Path traversal - CVE-2022-43514
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to modify and rename license files, extract licenses, and overwrite arbitrary files on the target system, potentially leading to privilege escalation and remote code execution.
Johnson Controls Advisory
This advisory describes an insufficiently protected credentials vulnerability in the Johnson Controls Metasys ADS/ADX/OAS Servers. The vulnerability is self-reported. Johnson Controls has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to result in exposed credentials in plain text to unauthenticated users.
SAUTER Advisory
This advisory describes two vulnerabilities in the SAUTER Controls Nova 200–220 Series (PLC 6). The vulnerabilities were reported by Jairo Alonso Ortiz, Aarón Flecha Menéndez and Iñaki Lázaro Ayanz of S21Sec. The product is no longer supported, no fix will be forthcoming.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow unauthorized visibility to sensitive information and remote code execution.
Panasonic Advisory
This advisory describes a cross-site request forgery vulnerability in versions of the Panasonic Sanyo CCTV Network Camera. The vulnerability was reported by Gjoko Krstic of Zero Science Lab, the report includes a link to proof-of-concept code. Panasonic reports that the affected products are no longer in support, no fix will be forthcoming.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow attackers to perform actions via HTTP without validity checks.
NOTE: Krstic published his report on this vulnerability in July 2021. At that time Panasonic reported that the affected cameras were no longer being produced and were out of support since 2019. This is a not very timely advisory.
InHand Advisory
This advisory describes five vulnerabilities in the InHand InRouter302 and InRouter615. The vulnerabilities were reported by Roni Gavrilov from OTORIO. InHand has new versions that mitigate the vulnerabilities. There is no indication that Gavrilov has been provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
Cleartext transmission of sensitive information - CVE-2022-22597?,
OS command injection - CVE-2022-22598?,
Use of a one-way hash with predictable salt - CVE-2022-22599?,
Improper access control - CVE-2022-22600?, and
Use of insufficiently random values - CVE-2022-22601?
NOTE: All CVE’s are marked with a question mark because it looks like the numbers are incorrect. The links provided by NCCIC-ICS and the CVE numbers are for unrelated Apple vulnerabilities. I suspect that instead of ‘CVE-2022’ they all should be ‘CVE-2021’, which are reserved but have not had any information provided to either NIST or MITRE.
NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a message queuing telemetry transport (MQTT) command injection, unauthorized disclosure of sensitive device information, and remote code execution. If properly chained, these vulnerabilities could result in an unauthorized remote user fully compromising every cloud-managed InHand Networks device reachable by the cloud.
RONDS Advisory
This advisory describes two vulnerabilities in the RONDS Equipment Predictive Maintenance (EPM) product. The vulnerabilities were reported by TsungShu Chiu of CHT Security. RONDS has a new version that mitigates the vulnerabilities. There is no indication that TsungShu has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
Exposure of sensitive information to an unauthorized actor - CVE-2022-3091, and
Path traversal - CVE-2022-2893
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an unauthorized user to leak login credentials and download files. In some circumstances, an unauthorized user can use login credentials to achieve remote code execution.
Sewio Advisory
This advisory describes nine vulnerabilities in the Sewio Real-Time Location System (RTLS) Studio. The vulnerabilities were reported by Andrea Palanca of Nozomi Networks. Sewio has a new version that mitigates the vulnerabilities. There is no indication that Palanca has been provided an opportunity to verify the efficacy of the fix.
The nine reported vulnerabilities are:
Use of hard-coded passwords - CVE-2022-45444,
OS command injection (2) - CVE-2022-47911 andCVE-2022-43483,
Out-of-bounds write - CVE-2022-41989,
Cross-site request forgery (2) - CVE-2022-45127 and CVE-2022-47395,
Improper input validation (2) - CVE-2022-47917 and CVE-2022-43455, and
Cross-site scripting - CVE-2022-46733
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code.
Hitachi Energy Advisory
This advisory describes an improper access control vulnerability in the Hitachi Energy Lumada Asset Performance Management product. The vulnerability is self-reported. Hitachi has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access to any Power BI reports installed or manipulate asset issue comments on assets.
NOTE: I briefly discussed this vulnerability on December 17th, 2022.
Philips Update
This update provides additional information on an advisory that was originally published on November 18th, 2021. The new information includes revising the expected remediation date from “by end of Q4 of 2022” to “by end of Q2 of 2023”.