Today the CISA NCCIC-ICS published five control system
security advisories for products from Siemens (4) and Schneider Electric. They
also published a medical device security advisory for products from SOOIL
Developments. NCCIC-ICS also updated seven advisories today. I will report on
them separately.

SCALANCE Advisory #1

This advisory describes
three vulnerabilities in the Siemens SCALANCE X Products. The vulnerabilities
are self-reported. Siemens has updates for several of the affected products.

The three reported vulnerabilities are:

• Missing authentication for
critical function – CVE-2020-15799, and

• Heap-based buffer overflow (2) – CVE-2020-15800
and CVE-2020-25226

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause denial-of-service conditions
and further impact the system through heap and buffer overflows.

Solid Edge Advisory

This advisory describes
six vulnerabilities in the Siemens Solid Edge. The vulnerabilities was reported
by rgod via the Zero Day Initiative. Siemens has an updated version that
mitigates the vulnerability. There is no indication that rgod has been provided
an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Out-of-bounds write (4) – CVE-2020-28381,
CVE-2020-28382, CVE-2020-28383, and CVE-2020-28386, and

• Stack-based buffer overflow (2) –
CVE-2020-28384 and CVE-2020-26989

NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to allow
arbitrary code execution on an affected system.

JT2Go Advisory

This advisory describes
eighteen vulnerabilities in the Siemens JT2Go and Teamcenter Visualization
products. The vulnerabilities was reported by rgod via ZDI. Siemens has new
versions that mitigate the vulnerabilities. There is no indication that rgod
has been provided an opportunity to verify the efficacy of the fix.

The eighteen reported vulnerabilities are:

Type confusion – CVE-2020-26980, CVE-2020-26990,

• Improper restriction of XML
external entity reference – CVE-2020-26981,

• Out-of-bounds write (7) – CVE-2020-26982,
CVE-2020-26983, CVE-2020-26984, CVE-2020-26988, CVE-2020-26995, CVE-2020-26996,
and CVE-2020-28383,

• Heap-based buffer overflow (4) – CVE-2020-26985,
CVE-2020-26986, CVE-2020-26987, and CVE-2020-26994,

• Stack-based buffer overflow (3) –
CVE-2020-26989, CVE-2020-26992, and CVE-2020-26993,

• Untrusted pointer dereference – CVE-2020-26991,

NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to lead to
arbitrary code execution.

SCALANCE Advisory #2

This advisory describes
two use of hard-coded cryptographic key vulnerabilities in the Siemens SCALANCE
X200, X200IRT, X300 switch families. The vulnerabilities are self-reported.
Siemens has updates for some of the affected products which mitigate the
vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to execute a
man-in-the-middle attack and decrypt previously captured traffic.

Schneider Advisory

This advisory describes
two unrestricted upload of file with dangerous type vulnerabilities in the
Schneider EcoStruxure Power Build – Rapsody products. The vulnerabilities were
reported by rgod via ZDI. Schneider is working on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit these vulnerabilities to  allow a local attacker to upload a malicious
SSD file, resulting in a use-after-free condition or a stack-based buffer
overflow.

SOOIL Advisory

This advisory describes
nine vulnerabilities in the SOOIL Dana Diabecare Insulin Pumps. The vulnerabilities
were reported by Julian Suleder, Birk Kauer, Raphael Pavlidis, and Nils
Emmerich of ERNW Research GmbH. SOOIL has new versions that mitigate the vulnerabilities.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Use of hard-coded credentials – CVE-2020-27256,

• Insufficiently protected
credentials – CVE-2020-27258,

• Insufficiently random values – CVE-2020-27264,

• Use of client-side authentication
– CVE-2020-27266,

• Client-side enforcement of server-side
security – CVE-2020-27268,

• Authentication bypass by
capture-replay – CVE-2020-27269,

• Unprotected transport of credentials
– CVE-2020-27270,

• Key exchange without entity authentication
– CVE-2020-27272, and

• Authentication bypass spoofing – CVE-2020-27276

Go to Source of this post
Author Of this post: PJCoyle

By admin