Public ICS Disclosures – Week of 9-25-21

This week we have seven vendor disclosures from BD, Dell, Festo, Draeger (2), Philips, and Siemens.

BD Advisory

BD published an advisory discussing three vulnerabilities in their HealthSight, Knowledge, Pyxis, Kiestra, and Alaris products. These are third-party (VMware) vulnerabilities. BD is working to test and validate the appropriate VMware updates.

The three vulnerabilities are:

• Remote code execution (2) - CVE-2021-21972 (exploit) and CVE-2021-21985 (exploit), and

• Heap-based buffer overflow - CVE-2021-21974 (exploit)

NOTE: A more recent VMware advisory affects the same VMware versions as these CVEs, so there might be an impact on the same BD products.

Dell Advisory

Dell published an advisory discussing two vulnerabilities in their Wyse ThinOS product. These are third-party (OpenSSL) vulnerabilities. Dell has either new versions or a security add-on for the affected products.

The two reported vulnerabilities are:

• Classic buffer overflow - CVE-2021-3711, and

• Out-of-bounds read - CVE-2021-3712

Festo Advisory

CERT-VDE published an advisory discussing four vulnerabilities in the Festo SBRD-Q, SBOC-Q, and SBOI-Q video system products. These are third-party (EIPStackGroup) vulnerabilities. Festo provides generic workarounds and does not intend to fix the problems.

The four vulnerabilities are:

• Incorrect conversion between numeric types - CVE-2021-27478,

• Out-of-bounds read - CVE-2021-27482,

• Reachable assertion - CVE-2021-27500 and CVE-2021-27498

NOTE: NVD-NIST has no entry for any of these four CVEs. Which is odd since they were reported by CISA’s NCCIC-ICS. The CVE Numbering Authority (CNA) appears to be Claroty. This is the second set of Claroty assigned CVEs that I have found not to be reported to NVD-NIST. My request to Claroty for an explanation provided no information.

Draeger Advisories

Draeger published an advisory describing a privilege escalation vulnerability in their Protector Software. Draeger has a new version that mitigates the vulnerablity.

Draeger published an advisory discussing the BadAlloc (WindRiver version) vulnerabilities. Draeger reports that their systems using the affected WindRiver components are not affected by the BadAlloc vulnerabilities.

Philips Advisory

Philips published an advisory discussing the most recent VMware advisory. While Philips has products using the affected VMware products, Philips is reporting that none of their products are affected by the reported vulnerabilities.

Siemens Advisory

Siemens published an advisory describing ten vulnerabilities in their Solid Edge products. The vulnerabilities were reported by xina1i via the Zero Day Initiative. Siemens has a new version that mitigates the vulnerabilities. There is no indication that xina1i has been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Use after free (6) - CVE-2021-37202, CVE-2021-41535, CVE-2021-41536, CVE-2021-41537, CVE-2021-41539, and CVE-2021-41540.

• Out-of-bounds read (3) - CVE-2021-37203, CVE-2021-41533, CVE-2021-41534, and

• Access of uninitialized pointer - CVE-2021-41538,

NOTE: The two CVE’s without links were reported directly to Siemens, not through ZDI.

Commentary: It looks like ZDI has become a CNA. This is probably because when they relied on NCCIC-ICS to provide CVEs for their reported vulnerabilities, NCCIC-ICS would frequently combine similar reported vulnerabilities into a single CVE, for example the three ‘out-of-bounds read’ vulnerabilities listed above might have been listed by NCCIC-ICS as a single vulnerability.

An interesting consequence of becoming a CNA is that ZDI no longer feels the need to coordinate their disclosures through NCCIC-ICS. This is the reason why we did not see this Siemens’ advisory being reported by CISA this week.