17 Advisories Published - 7-13-21
Today CISA’s NCCIC-ICS published 17 control system security advisories for products from Siemens (15) and Schneider Electric (2). NCCIC-ICS also published four advisory updates that I will address tomorrow.
Siemens published three additional advisories today that were not addressed by NCCIC-ICS. Schneider published four additional advisories today that were not addressed by NCCIC-ICS. I will be addressing those advisories this weekend.
SINUMERIK Advisory
This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens SINUMERIK ONE and SINUMERIK MC CNC products. This vulnerability is self-reported. Siemens is reporting generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in arbitrary code execution and unauthorized access to sensitive data.
NOTE: This same CVE was reported by Siemens back on May 28th, 2021 and NCCIC-ICS on June 1st, 2021. That vulnerability was reported by Tal Kenen of Claroty.
Mendix Advisory
This advisory describes an incorrect authorization vulnerability in the Siemens Mendix Application. The vulnerability is self-reported. Siemens has updates available that mitigate the vulnerabilities.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized users bypass write permissions to attributes of objects.
JT2Go Advisory
This advisory describes 43 vulnerabilities in the Siemens JT2Go and Teamcenter Visualization. The vulnerabilities were reported by Brian Gorenc and Mat Powell of Trend Micro Zero Day Initiative; garmin and xina1i at SecZone; and Tran Van Khang working with ZDI. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The 43 reported vulnerabilities are:
Double free (2) - CVE-2021-34333 and CVE-2021-34330,
Infinite loop - CVE-2021-34332,
Out-of-bounds write (15) - CVE-2021-34331, CVE-2021-34323, CVE-2021-34319, CVE-2021-34318, CVE-2021-34316, CVE-2021-34314, CVE-2021-34311, CVE-2021-34310, CVE-2021-34309, CVE-2021-34305, CVE-2021-34300, CVE-2021-34297, CVE-2021-34295, CVE-2021-34293, and CVE-2021-34291
Heap-based buffer overflow (7) - CVE-2021-34329, CVE-2021-34328, CVE-2021-34327, CVE-2021-34326, CVE-2021-34317, CVE-2021-34313, and CVE-2021-34312,
Buffer over-read (9) - CVE-2021-34325, CVE-2021-34322, CVE-2021-34320, CVE-2021-34308, CVE-2021-34307, CVE-2021-34304, CVE-2021-34303, CVE-2021-34302, and CVE-2021-34299,
Use after free (3) - CVE-2021-34324, CVE-2021-34301, and CVE-2021-34298,
Out-of-bounds read (4) - CVE-2021-34315, CVE-2021-34296, CVE-2021-34294, and CVE-2021-34292, and
Improper restriction of operations within the bounds of a memory buffer - CVE-2021-34306,
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to application crash or potentially arbitrary code execution on the target host system.
NOTE: All of these vulnerabilities are related to various .DLL libraries. I suspect that they should be reported as third-party vulnerabilities. It would be hard to believe that at least some of these same vulnerabilities are not (or have not been) found in other Siemens products and/or products of other vendors.
RWG Advisory
This advisory describes an allocation of resources without limit or throttling vulnerability in the Siemens RWG Universal Controllers. The vulnerabilities are self-reported. The vulnerability has been corrected in the on-line version of the RWG Controller Graphical programming platform.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to RWG Controller Graphical programming platform.
SINAMICS Advisory
This advisory describes an improper restriction of operation within the bounds of a memory buffer vulnerability in the Siemens SINAMICS PERFECT HARMONY GH180 product. The vulnerability is self-reported. Siemens provides generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in arbitrary code execution and unauthorized access to sensitive data.
NOTE: This is the same CVE reported in the SINUMERIK Advisory discussed above.
Industrial Products Advisory #1
This advisory describes a heap-based buffer overflow vulnerability in the Wind River VxWorks-based Industrial Products. The vulnerability is self-reported. Siemens provides generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely access the vulnerability to allow an attacker to cause a heap-based buffer overflow.
NOTE: The link to the Wind River VxWorks advisory (on the NIST NVD web site for CVE-2021-29998) takes one to a Wind River support site that mainly addresses very lengthy Wind River Linux Security Bulletins. I cannot find this DHCP based vulnerability on that site.
Teamcenter Advisory
This advisory describes three vulnerabilities in the Siemens Teamcenter Active Workspace product. The vulnerabilities are self-reported. Siemens has updates available to mitigate the vulnerability.
The three reported vulnerabilities are:
Generation of error message containing sensitive information - CVE-2021-33711,
Cross-site scripting - CVE-2021-33710, and
Exposure of sensitive information to an unauthorized actor - CVE-2021-33709
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to lead to sensitive information disclosure and reflected cross-site scripting.
RUGGEDCOM Advisory
This advisory describes a classic buffer overflow vulnerability in the Siemens RUGGEDCOM ROS. The vulnerability is self-reported. Siemens has new versions that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized actor could remotely exploit the vulnerability to allow an attacker with network access to an affected device to cause a remote code execution condition.
JT Utilities Advisory
This advisory describes three vulnerabilities in the Siemens JT Utilities. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a denial-of-service condition.
NOTE: According to the Siemens advisory the vulnerability was reported by LeeJet from ICICS CO.
Solid Edge Advisory
This advisory describes four heap-based buffer overflow vulnerabilities in the Siemens Solid Edge, portfolio of software tools. The vulnerability was reported by Mat Powell via ZDI. Siemens has a new version that mitigates the vulnerabilities. There is no indication that Powell has been provide an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to result in an out-of-bounds write, a buffer overflow condition that may allow remote code execution.
Industrial Products Advisory #2
This advisory describes two vulnerabilities in the Siemens Industrial Products. These are third-party vulnerabilities. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.
The two reported vulnerabilities are:
Classic buffer overflow - CVE-2015-8011, and
Uncontrolled resource consumption - CVE-2020-27827
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to cause a denial-of-service condition or execute arbitrary code.
SIMATIC Advisory #1
This advisory describes an incorrect permission assignment vulnerability to the Siemens SIMATIC Software Products. The vulnerability is self-reported. Siemens has updates that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to manipulate parameters or the behavior of devices configured by the affected software products.
SIMATIC Advisory #2
This advisory describes a classic buffer overflow vulnerability in the Siemens SIMATIC Software Products. This vulnerability was reported by Uri Katz from Claroty. Siemens has updates that mitigate the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to manipulate project files, create a denial-of-service condition or remotely execute code.
SINUMERIK Advisory
This advisory describes an improper certificate validation vulnerability in the SINUMERIK Integrate Operate Client. The vulnerability is self-reported. Siemens has updates available that mitigate the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to spoof any SSL server certificate and conduct man-in-the-middle attacks.
PROFINET Advisory
This advisory describes an allocation of resources without limit or throttling in the Siemens PROFINET Devices. The vulnerability is self-reported. Siemens has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to perform a denial-of-service attack if a large amount of PROFINET Discovery and Configuration Protocol (DCP) reset packets is sent to the affected devices.
SCADApack Advisory
This advisory describes six vulnerabilities in the Schneider EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect x70, SCADAPack x70 RTUs, and Modicon M580 and M340 control products. The vulnerabilities were reported by multiple researchers from multiple organizations. Schneider has provided various mitigation workarounds to these vulnerabilities.
The six reported vulnerabilities are:
Insufficiently protected credentials - CVE-2021-22778, CVE-2021-22780, CVE-2021-22781, and CVE-2021-22782
Authentication bypass by spoofing - CVE-2021-22779, and
Deserialization of untrusted data - CVE-2020-12525,
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow arbitrary code execution and loss of confidentiality and integrity of the project file.
C-Bus Toolkit Advisory
This advisory describes a missing authentication for critical function vulnerability in the Schneider C-Bus Toolkit. The vulnerability was reported by rgod via ZDI. Schneider has a new version that mitigates the vulnerability. There is no indication that rgod was offered an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to enable remote access to the system.