6 Advisories Published - 6-29-21
Today CISA’s NCCIC-ICS published six control system security advisories for products from Claroty, Aveva, JTEKT, Panasonic and Johnson Controls (2).
Claroty Advisory
This advisory describes an authentication bypass using an alternative path or channel vulnerability in the Claroty Secure Remote Access Site. The vulnerability was reported by Alphastrike Labs. Claroty has a newer version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could exploit the vulnerability to enable an attacker with local (Linux) system access to bypass access controls for the central configuration file of the SRA Site software.
NOTE: Interesting flip of roles, but I would have expected Claroty to have an advisory on their site about the vulnerability and to have allowed the researcher to confirm the efficacy of the fix.
Aveva Advisory
This advisory describes two vulnerabilities in the Aveva System Platform. The vulnerability was reported by Sharon Brizinov of Claroty. Aveva has updates that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
Missing authentication for critical function - CVE-2021-33008, and
Uncaught exception - CVE-2021-33010
NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerabilities to, if exploited and chained together, could allow a malicious entity to achieve arbitrary code execution with system privileges or cause a denial-of-service condition.
NOTE: The Aveva advisory (that I discussed Saturday -subscription required) includes three other vulnerabilities not listed here:
Path traversal,
Origin validation error, and
Improper verification of digital signature
JTEKT Advisory
This advisory describes an improper restriction of operations withing the bounds of a memory buffer vulnerability in the JTEKT TOYOPUC PLCs. The vulnerability was reported by Chris Yang via the Zero Day Initiative. JTEKT has new firmware versions that mitigate the vulnerability. There is no indication that Yang has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to crash the device being accessed.
Panasonic Advisory
This advisory describes an improper restriction of XML external entity reference vulnerability in the Panasonic FPWIN Pro programming control software. The vulnerability was reported by Michael Heinzl. Panasonic has a new version that mitigates the vulnerability. There is no indication that Heinzl has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a remote attacker to retrieve sensitive information from the file system where affected software is installed.
exacqVision Advisory #1
This advisory describes a cross-site scripting vulnerability in the Johnson Controls exacqVision Enterprise Manager. The vulnerability was reported by Milan Kyselica and Roman Stevanak. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to send malicious requests on behalf of the victim.
NOTE: The link to the Johnson Controls advisory (JCI-PSA-2021-08) is still not working, like I reported on Saturday.
exacqVision Advisory #2
This advisory describes a cross-site scripting vulnerability in the Johnson Controls exacqVision Web Service. The vulnerability was reported by Milan Kyselica and Roman Stevanak. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to send malicious requests on behalf of the victim.
NOTE: The link to the Johnson Controls advisory (JCI-PSA-2021-08) is still not working, like I reported on Saturday.