15 Advisories Published – 5-11-23
VACATION DELAYED
Earlier this week, CISA’s NCCIC-ICS published 15 control system security advisories for products from Rockwell Automation (4), PTC, SDG, BirdDog, Teltonika, Sierra Wireless, and Siemens (6).
Rockwell Advisory #1
This advisory describes an inadequate encryption strength vulnerability in the Rockwell ThinManager software management platform. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to decrypt traffic sent between the client and server application programming interface (API), resulting in unauthorized access to information.
NOTE: This advisory includes information from v 2.0 of the Rockwell advisory.
Rockwell Advisory #2
This advisory discusses two vulnerabilities in the Rockwell PanelView 800 graphics terminal, one with known exploit. These are third-party (WolfSSL) vulnerabilities. Rockwell has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
Out-of-bounds write - CVE-2020-36177 (exploit), and
Out-of-bounds read - CVE-2019-16748
Rockwell Advisory #3
This advisory describes three incorrect restriction of operations within the bounds of a memory buffer vulnerabilities in the Rockwell Arena Simulation Software. The vulnerabilities were reported by Simon Janz of the Zero Day Initiative. Rockwell has a new version that mitigates the vulnerabilities. There is no indication that Janz has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow a malicious user to commit unauthorized arbitrary code to the software using a memory buffer overflow.
Rockwell Advisory #4
This advisory describes an improper access control vulnerability in the Rockwell Kinetix 5500 EtherNet/IP Servo Drive. The vulnerability was self-reported. Rockwell has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to create a denial-of-service condition or allow attackers unauthorized access to the device.
PTC Advisory
This advisory describes six vulnerabilities in the PTC Vuforia Studio products. The vulnerabilities were reported by Lockheed Martin—Red Team. PTC has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities are:
Insufficiently protected credentials - CVE-2023-29168,
Improper authorization (2) - CVE-2023-24476 and CVE-2023-29152,
Unrestricted upload of file with dangerous type - CVE-2023-27881,
Path traversal - CVE-2023-29502, and
Cross-site request forgery - CVE-2023-31200
SDG Advisory
This advisory describes an SQL injection vulnerability in the SDG PnPSCADA products. The vulnerability was reported by Momen Eldawakhly of Samurai Digital Security Ltd. PTC provides generic mitigation measures pending development of a fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to interact with the database and retrieve critical data.
BirdDog Advisory
This advisory describes two vulnerabilities in various BirdDog camera and encoder. The vulnerabilities were reported by Alan Cao. BirdDog has a patch which mitigates the vulnerabilities. There is no indication that Cao has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
Cross-site request forgery - CVE-2023-2505, and
Use of hard-coded credentials - CVE-2023-2504
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to remotely execute code or obtain unauthorized access to the product.
Teltonika Advisory
This advisory describes eight vulnerabilities in the Teltonika Remote Management System and RUT model routers. The vulnerabilities were reported by Roni Gavrilov of OTORIO and Noam Moshe of Claroty Research. Teltonika has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The eight reported vulnerabilities are:
Observable response discrepancy - CVE-2023-32346,
Improper authentication (2) - CVE-2023-32347 and CVE-2023-2586,
Server-side request forgery - CVE-2023-32348,
Cross-site scripting - CVE-2023-2587,
Inclusion of web functionality from untrusted source - CVE-2023-2588,
External control of system or configuration setting - CVE-2023-32349, and
OS command injection - CVE-2023-32350
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices.
Sierra Wireless Advisory
This advisory describes two vulnerabilities in the Sierra Wireless AirVantage cloud management platform. The vulnerabilities were reported by Roni Gavrilov of Otorio. Sierra Wireless has updated their Warranty Checker tool to correct one of the vulnerabilities and provides generic mitigation measures for the other.
The two reported vulnerabilities are:
Improper authentication - CVE-2023-31279, and
Exposure of sensitive information to unauthorized actor - CVE-2023-31280
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to configure devices and to receive sensitive device information.
Siemens Advisory #1
This advisory describes four vulnerabilities in the Siemens SCALANCE LPE9403. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The four reported vulnerabilities are:
Command injection - CVE-2023-27407,
Creation of a temporary file with insecure permissions - CVE-2023-27408,
Path traversal - CVE-2023-27409, and
Heap-based buffer overflow - CVE-2023-27410
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain access to the device as root or create a denial-of-service condition.
Siemens Advisory #2
This advisory discusses nine vulnerabilities in the Siemens SINEC NMS. These are third-party vulnerabilities. Siemens has a new version that mitigates the vulnerabilities.
The nine reported vulnerabilities are:
Expected behavior violation - CVE-2022-32221 (exploit),
Improper validation of syntactic correctness of input - CVE-2022-35252 (exploit),
Stack-based buffer overflow - CVE-2022-35260 (exploit),
Use after free (3) - CVE-2022-40674, CVE-2022-43552 (exploit), and CVE-2022-43680 (includes POC),
Double free - CVE-2022-42915,
Cleartext transmission of sensitive information (2) - CVE-2022-42916 and CVE-2022-43551 (exploit)
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to impact SINEC NMS confidentiality, integrity, and availability.
Siemens Advisory #3
This advisory describes seven vulnerabilities in the Siemens SIMATIC Cloud Connect 7 product. The vulnerabilities are self-reported. Siemens has new versions that mitigate the vulnerabilities.
The seven reported vulnerabilities are:
Command injection - CVE-2023-28832,
Use of hard-coded password - CVE-2023-29103,
Path traversal (2) - CVE-2023-29104 and CVE-2023-29128,
Missing standardized error handling mechanism - CVE-2023-29105,
Exposure of sensitive information to unauthorized actor - CVE-2023-29106, and
Files or directories accessible to external parties - CVE-2023-29107
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute arbitrary code.
Siemens Advisory #4
This advisory describes two deserialization of untrusted data vulnerabilities in the Siemens Siveillance Video IP video management software. The vulnerabilities were reported by Milestone PSIRT. Siemens has a hot-fix that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an authenticated remote attacker to execute code on the affected system.
NOTE: This looks like it is probably a third-party vulnerability in the Milestone XProtect Management Server even though NVD.NIST.gov reports Siemens as the reporting party. Thus, other vendors may also be affected by these two vulnerabilities.
Siemens Advisory #5
This advisory discusses the Framing Frames vulnerability in the Siemens SCALANCE W1750D products. Siemens provides generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to allow an attacker to disclose sensitive information or steal the unsuspecting user’s session.
NOTE: This is going to be another widespread vulnerability (it has already been reported by Aruba and SonicWall). In fact, Siemens notes in their advisory that the W1750D is a rebrand of an Aruba product. This may be why Siemens is not currently reporting any other products being affected by the vulnerability in the underlying IEEE standard.
Siemens Advisory #6
This advisory describes three vulnerabilities in the Siemens Solid Edge SE2023 product. One of these is a third-party (STEPTools) vulnerability. The vulnerabilities were reported by ZDI. Siemens has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
NULL pointer dereference - CVE-2023-0973,
Out-of-bounds read - CVE-2023-30985, and
Improper restriction of operations within the bounds of a memory buffer - CVE-2023-30986
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to execute arbitrary code or crash the application.