Public ICS Disclosures - Week of 5-22-21

This week we have vendor 17 disclosures from Bosch, B&R Automation, CODESYS (2), GE Grid Solutions, Moxa, Philips (2), Ruckus, Siemens (2), Texas Instruments (4), and VMware. There is one update from Boston Scientific.

Bosch Advisory

Bosch published an advisory describing two vulnerabilities in their B426, B426-CN/B429-CN, and B426-M products. The vulnerabilities were reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs of Trend Micro. Bosch has new firmware versions that mitigate the vulnerabilities. There is no indication that Toyama has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control - CVE-2021-23845, and

• Cleartext transmission of sensitive information - CVE-2021-23846

B&R Advisory

B&R published an advisory describing a very large number (4.5 pages of CVE listings) of vulnerabilities in their Automation Runtime NTP Service due to using an outdated version of ntpd. B&R has a new version that mitigates the vulnerabilities.

None of the listed CVEs have a CVSS score of over 8.0. The ones listed at 7.5 include:

• Improper key generation - CVE-2014-9293 (exploit),

• Weak cryptographic process - CVE-2014-9294 (exploit),

• Stack-based buffer overflow - CVE-2014-9295 (exploit),

• Improper input validation - CVE-2015-7705,

• Classic buffer overflow - CVE-2015-7853,

• Improper authentication - CVE-2015-7871, and

• Out-of-bounds write - CVE-2018-12327 (exploit)

CODESYS Advisories

CODESYS published an advisory describing a heap-based buffer overflow vulnerability in their V3 web server. The vulnerability was reported by Device Security Assurance Center of ABB. CODESYS has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory describing an improper handling of exceptional conditions vulnerability in their V3 Runtime Toolkit for VxWorks. The vulnerability was reported by Device Security Assurance Center of ABB. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

GE Advisory

GE Grid Solutions published an advisory describing two vulnerabilities in their RPV311 Multifunctional Digital Fault Recorder. The vulnerabilities were reported by Anonymous at the Zero Day Initiative. GE provides generic workarounds for the first vulnerability and whitelisting instructions for the second.

The two reported vulnerabilities are:

• Hard coded credentials,

• Use of EOL Adobe Flash Player

Moxa Advisory

Moxa published an advisory describing ten vulnerabilities in their NPort IAW5000A-I/O Series Serial Device Server. The vulnerabilities were reported by Konstantin Kondratev, Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Buffer overflow (2) - BDU:2021-02699 and BDU:2021-02702,

• Stack-based buffer overflow (5) - BDU:2021-02700, BDU:2021-02701, BDU:2021-02703, BDU:2021-02704, and BDU:2021-02708,

• Improper input validation (2) - BDU:2021-02705, BDU:2021-02706, and

• OS command injection - BDU:2021-02707

NOTE: The BDU numbers above are roughly CVE equivalents issued by BDU FSTEC, the Russian federal cybersecurity service.

Philips Advisories

Philips published an advisory discussing recent VMware vulnerabilities (CVE-2021-21985 & CVE-2021-21986) discussed below. They have determined that those vulnerabilities affect ‘a limited number of products’ (unnamed in the advisory). Philips recommends applying the VMware updates.

Philips published an advisory discussing the Conti ransomware situation. To avoid the prospect of having Philips changes of configuration or software to Philips’ products (including operating system security updates and patches) become the source of a ransomware infections recommends that customers only use Philips’ product-specific, verified & validated, authorized, and communicated customer procedures or field actions.

NOTE: Philips does not provide separate web URLs for their advisories, they are all on a single page. This is why the two links above are identical.

Ruckus Advisory

Ruckus published an advisory describing seven vulnerabilities in their RUCKUS IoT Controller. The vulnerabilities were reported by Jim Becher of KoreLogic who has included proof-of-concept exploits (see links below) for each of the vulnerabilities. Ruckus has a software update that mitigates the vulnerabilities. There is no indication that Becher has been provided an opportunity to verify the efficacy of the fix.

• Execution with unnecessary privileges - CVE-2021-33217,

• Path traversal - CVE-2021-33215,

• Use of hard-coded password (2) - CVE-2021-33219 and CVE-2021-33218,

• Use of hard-coded credentials - CVE-2021-33220, and

• Missing authentication for critical function (2) - CVE-2021-33221 and CVE-2021-33216

NOTE Becher has a separate listing of exploits for each of these vulnerabilities over on https://packetstormsecurity.com/files/. Looks pretty much like the POC in the KoreLogic reports linked above.

Siemens Advisories

Siemens published an advisory discussing the Luxion KeyShot vulnerabilities in their Solid Edge product. Siemens recommends updating the KeyShot program.

NOTE: It will be interesting to see if NCCIC-ICS updates their ICSA-21-145-01 advisory to include a link to this advisory or if they will publish a new advisory for these vulnerabilities in the Siemens products.

Siemens published an advisory describing a memory protection bypass through a specific operation vulnerability in their SIMATIC S7-1200 and S7-1500 CPU Families. The vulnerability was reported by Tal Keren from Claroty. Siemens has new versions that mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

NOTE: These out-of-zone advisories from Siemens are getting more and more common.

TI Advisories

TI published an advisory discussing a Bluetooth Passkey authentication vulnerability in their software development kits. This is third-party (Bluetooth) vulnerability. TI has new versions that mitigate the vulnerability.

TI published an advisory discussing a Bluetooth legacy-pairing protocol authentication vulnerability in their software development kits. This is a third-party (Bluetooth) vulnerability. TI has new versions that mitigate the vulnerability.

TI published an advisory discussing a Bluetooth PIN-Code Pairing Key Derivation vulnerability in their CC2564C FW and WL18xx FW products. This is a third-party (Bluetooth) vulnerability. TI has new versions that mitigate the vulnerability.

TI published an advisory describing two vulnerabilities in the Boot Image Manager (BIM) software for CC13x2, CC26x2 and CC2640R2 devices. TI has new versions that mitigate the vulnerability.

The two reported vulnerabilities are in the following operations:

• Secure firmware update, a

• Secure boot operations

VMware Advisory

VMware published an advisory describing two vulnerabilities in their vSphere Client (HTML5). VMware has new versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Remote code execution - CVE-2021-21985, and

• Authentication mechanism - CVE-2021-21986

NOTE: VMware has a blog post about these two vulnerabilities and their mitigation.

Boston Scientific Update

Boston Scientific published an update for their NAME:WRECK advisory that was originally published on May 1st, 2021. The new  information is that they are announcing that none of their products are affected.