Six Advisories Published - 7-1-21
7-1-21
Today CISA’s NCCIC-ICS published six control system security Advisories for products from Bachmann Electronic, Mitsubishi Electric (2), Delta Electronics, and Johnson Controls (2).
Bachmann Advisory
This advisory describes a use of password hash with insufficient computational effort in the Bachmann M-Base Controllers. The vulnerability is self-reported. Bachmann has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated remote attacker to gain access to the password hashes of the controller if Security Level 4 is not in use as recommended. In the recommended Security Level 4 setting, an authenticated remote attacker could get access to user credentials.
NOTE #1: This advisory was originally released on the HSIN ICS Library (limited access) on January 26th, 2021.
NOTE #2: Bachmann provides an advisory [.PDF Download link] for this vulnerability, but it is password protected. NCCIC-ICS provides the password (_pC5#3fS@Y8s) in the advisory published today. Kind of defeats the whole point of the password protection.
NOTE #3: The NCCIC-ICS advisory make it clear that the affected Bachmann products are used by other vendors who presumably have had a chance to update their affected products, but no list of vendors or products is included in this advisory. We will just have to watch out for CVE CVE-2020-16231.
Mitsubishi Advisory #1
This advisory describes an improper restriction of XML external entity reference vulnerability in the Mitsubishi Air Conditioning Systems. The vulnerability was reported by Howard McGreehan of Aon's Cyber Solutions. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that McGreehan has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to disclose some of the data in the air conditioning system or cause a denial-of-service condition.
Mitsubishi Advisory #2
This advisory describes an incorrect implementation of authentication algorithm in the Mitsubishi Air Conditioning Systems. The vulnerability was reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs via the Zero Day Initiative. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that Toyama has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to disclose configuration information of the air conditioning system in order to tamper with operation information and system configuration.
Delta Advisory
This advisory describes an out-of-bounds read vulnerability in the Delta DOPSoft. The vulnerability was reported by Natnael Samson via ZDI. Delta has a new version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution and disclose information.
Johnson Controls Advisory #1
This advisory describes an improper input validation vulnerability in the Johnson Controls C-CURE 9000. The vulnerability was self-reported. Johnson Controls has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote execution of lower privileged Windows programs.
Johnson Controls Advisory #2
This advisory describes an improper privilege management vulnerability in the Johnson Controls Facility Explorer SNC Series Supervisory Controller. The vulnerability is self-reported. Johnson Controls has a patch available to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to give an authenticated user an unintended level of access to the controller’s file system.
NOTE: Johnson Control’s Security Advisories web page continues to have problems with the links to the individual advisories. They continue to return a ‘Document Not Found’ message.