2 Advisories and 1 Update Published – 2-3-22
Today, CISA’s NCCIC-ICS published two control system security advisories for products from Airspan Networks and Johnson Controls. They also updated an advisory for products from FANUC.
Airspan Advisory
This advisory describes seven vulnerabilities in the Airspan Mimosa products. The vulnerability was reported by Noam Moshe of Claroty. Airspan has new versions that mitigate the vulnerabilities. There is no indication that Moshe has been provided an opportunity to verify the efficacy of the fix.
The seven reported vulnerabilities are:
Improper authorization - CVE-2022-21196,
Incorrect authorization - CVE-2022-21141,
Server-side request forgery - CVE-2022-21215,
SQL injection - CVE-2022-21176,
Deserialization of untrusted data - CVE-2022-0138,
OS command injection - CVE-2022-21143, and
Use of broken or risky cryptographic algorithm - CVE-2022-21800
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to gain user data (including organization details) and other sensitive data, compromise Mimosa’s AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices.
Johnson Controls Advisory
This advisory describes an improper input validation vulnerability in the Johnson Controls (Sensormatic subsidiary) DSC PowerManage operating platform. This is a third-party (Log4Shell) vulnerability with multiple exploits.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain remote code execution.
NOTE: This NCCIC-ICS advisory does not mention the Log4Shell vulnerability by name (it does list the CVE), even though Johnson Controls advisory does. The Johnson Controls Log4Shell advisory does not list the PowerManage product even though it does list other Sensormatic PowerSeries products.
FANUC Update
This update provides additional information on an advisory that was originally published on December 7th, 2021. The new information includes removing the R-30iB Compact from the list of affected products.
NOTE: The FANUC advisory for these vulnerabilities (published on December 16th, 2021) did not include that product in the affected products list.