14 Advisories Published – 6-8-21
Today CISA’s NCCIC-ICS published fourteen control system security advisories for products from Siemens (8), Thales, Schneider (2), AVEVA, Open Design Alliance, and Johnson Controls. NCCIC-ICS also published ten updates today, they will be addressed in a separate blog post tomorrow.
JT2Go Advisory
This advisory describes an out-of-bounds write vulnerability in the Siemens JT2Go and Teamcenter Visualization products. The vulnerability was reported by the Zero Day Initiative. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code in the context of the current process.
SIMATIC Advisory #1
This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC RF Products. The vulnerability is self-reported. Siemens has new versions for most of the affected products. Siemens provides generic workarounds for the remaining products.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to SIMATIC RF Products.
Simcenter Advisory
This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap products. The vulnerability was reported by Francis Provencher working with ZDI. Siemens has new versions that mitigate the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilitiy to crash the device being accessed and may allow arbitrary remote code execution or data extraction. The Siemens advisory notes that a social engineering attack could be used to cause an authorized user to open a malicious file to exploit the vulnerability.
SIMATIC Advisory #2
This advisory describes fifteen vulnerabilities in the Siemens SIMATIC NET CP 443-1 OPC UA product. These are third-party vulnerabilities (NTP). The vulnerability was self-reported. Siemens provides generic workarounds to mitigate the vulnerabilities.
The fifteen reported vulnerabilities are:
Improper input validation (6) - CVE-2016-9042 (exploit), CVE-2016-7431, CVE-2016-4956, CVE-2015-7705, CVE-2015-8138, and CVE-2016-1547 (exploit),
Improper restriction of operations within the bounds of a memory buffer - CVE-2017-6458,
Incorrect calculation - CVE-2016-7433,
Classic buffer overflow - CVE-2015-7853,
Improper authentication - CVE-2016-4953,
Race condition (2) - CVE-2016-4954 and CVE-2016-4955,
Data processing errors - CVE-2016-1548 (exploit),
Exposure of sensitive information to unauthorized actor - CVE-2016-1550, and
Out-of-bounds read - CVE-2016-2518
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition as well as other specified and unspecified impacts.
SIMATIC Advisory #3
This advisory describes two vulnerabilities in the Siemens SIMATIC TIM 1531 IRC. These are third-party vulnerabilities (libcurl). The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
Exposure of sensitive information to an unauthorized actor - CVE-2020-8169, and
Improper certificate validation - CVE-2020-8286
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to extract sensitive information and pass a revoked certificate as valid.
Solid Edge Advisory
This advisory describes two out-of-bounds write vulnerability in the Siemens Solid Edge products. The vulnerabilities were reported by Garmin working with ZDI. Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to an application crash or arbitrary code execution on the target host system. The Siemens advisory notes that a social engineering attack could be used to get an authenticated user to open a malformed file to exploit the vulnerability.
TIM Advisory
This advisory describes an uncontrolled resource consumption vulnerability in the Siemens TIM 1531 IRC. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICWS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote attacker to cause a denial-of-service condition.
Mendix Advisory
This advisory describes an insufficient verification of data authenticity vulnerability in the Siemens Mendix SAML Module. This vulnerability is self-reported. Mendix has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to cause a denial-of-service condition.
Thales Advisory
This advisory describes an incomplete cleanup vulnerability in the Thales Sentinel LDK Run-Time Environment (RTE). This vulnerability was reported to CISA anonymously. Thales has a new version that mitigates the vulnerability.
NCCIC-ICS reports that products that have uninstalled software using the Sentinel LDK Run-Time Environment, may have a port left open that may allow an attacker to connect.
Modicon Advisory
This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider Modicon X80 product. The vulnerability was reported by Chizuru Toyama, TXOne IoT/ICS Security Research Labs of Trend Micro. Schneider provides generic workarounds pending development of mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in information disclosure to an unauthenticated remote user, which could result in an understanding of the network architecture.
IGSS Advisory
This advisory describes thirteen vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by kimiya working with ZDI, and separately, and Michael Heinzl. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The thirteen reported vulnerabilities are:
Out-of-bounds write (5) - CVE-2021-22750, CVE-2021-22751, CVE-2021-22752, CVE-2021-22754, and CVE-2021-22755,
Out-of-bounds read (3) - CVE-2021-22753, CVE-2021-22756, and CVE-2021-22757,
Access of uninitialized pointer - CVE-2021-22758,
Use after free - CVE-2021-22759,
Release of invalid pointer or reference - CVE-2021-22760,
Improper restriction of operations within the bounds of a memory buffer -CVE-2021-22761, and
Improper limitation of a pathname to a restricted directory - CVE-2021-22762
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to result in remote code execution, which could result in an attacker gaining access to the Windows Operating System on the machine used to import CGF and WSP files.
NOTE: Schneider published four additional advisories today. If they are not addressed by NCCIC-ICS on Thursday, I will discuss them in my Public ICS Disclosure post this weekend.
AVEVA Advisory
This advisory describes a clear-text storage of sensitive information in memory vulnerability in the AVEVA InTouch 2020 R2 product. The vulnerability was reported by Ilya Karpov, Evgeniy Druzhinin, and Konstantin Kondratev of Rostelecom-Solar. AVEVA has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to expose cleartext credentials from InTouch Runtime.
NOTE: I briefly discussed this vulnerability last Saturday in my Public ICS Disclosure post.
ODA Advisory
This advisory describes eight vulnerabilities in the ODA Drawings SDK product. The vulnerabilities were reported by Mat Powell and Brian Gorenc of ZDI. ODA has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The eight reported vulnerabilities are:
Out-of-bounds read (3) - CVE-2021-32938, CVE-2021-32940, and CVE-2021-32950,
Out-of-bounds write (3) - CVE-2021-32936, CVE-2021-32948, and CVE-2021-32952,
Improper check for unusual or exceptional conditions - CVE-2021-32946,
Use after free - CVE-2021-32944
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow code execution in the context of the current process or cause a denial-of-service condition.
Johnson Controls Advisory
This advisory describes an improper privilege management vulnerability in the Johnson Controls Metasys Servers, Engines, and Tools. The vulnerability was reported by Jakub Palaczynski. Johnson Controls has patches available that mitigate the vulnerability. There is no indication that Palaczynski has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system.
NOTE: I briefly discussed this vulnerability last Saturday in my Public ICS Disclosure post.