Today CISA’s NCCIC-ICS published two control system security
advisories for products from Rockwell and Open Design Alliance, as well as a
medical device security advisory for products from Hamilton Medical. They also
updated an advisory from M&M Software (WAGO).

Rockwell Advisory

This advisory describes
an improper handling of length parameter inconsistency vulnerability in the Allen-Bradley
MicroLogix 1100 Programmable Logic Controller. The vulnerability was
reported
by Talos. Rockwell advises upgrading to the Micrologic 1400,
firmware v21.006 or higher.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to result in denial-of-service
conditions.

NOTE: I briefly
discussed
this vulnerability on Saturday.

Open Design Alliance Advisory

This advisory describes
six vulnerabilities in the Open Design Alliance Drawings SDK software
development kit. The vulnerabilities were reported by Michael DePlante and rgod
via the Zero Day Initiative. ODA has a newer version that mitigates the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow – CVE-2021-25178,

• Type confusion – CVE-2021-25177,

• Untrusted pointer dereference – CVE-2021-25176,

• Incorrect type conversion or cast
– CVE-2021-25175, and

• Memory allocation with excessive
size value (2) – CVE-2021-25174 and CVE-2021-25173

NCCIC-ICS reported that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to allow code
execution in the context of the current process or cause a denial-of-service
condition.

NOTE: These vulnerabilities were reported
last week
in NCCIC’s Siemens JT2Go and Teamcenter Visualization (ICSA-21-040-06)
advisory and the Siemens advisory (SSA-663999)
upon which it was based. Both advisories provided links to the ODA advisory. It will
be interesting to see what other vendors use this ODA tool.

Hamilton Advisory

This advisory describes
three vulnerabilities in the Hamilton-T1 Ventilator. The vulnerabilities were
reported by Julian Suleder, Raphael Pavlidis, Nils Emmerich and Dr. Oliver
Matula of ERNW Research. Hamilton recommends updating to newer versions to mitigate
the vulnerabilities. There is no indication that the researchers have been
provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded credentials – CVE-2020-27278,

• Missing XML validation – CVE-2020-27282,
and

• Exposure of sensitive information
– CVE-2020-27290

NCCIC-ICS reports that a relatively low-skilled attacker
with physical access to the device could exploit the vulnerability to obtain
sensitive information or crash the device being accessed.

NOTE: For those that are interested, here is the German
BSI’s report
on a whole slew of these vulnerabilities that were reported by
ERNW Research for this BSI project. Not a lot of detail, but there are a lot of
vulnerable devices.

WAGO Update

This update provides
additional information on an advisory that was originally
published
on January 21st, 2021 and most recently updated on February
4th, 2021. The new information includes adding the Mitsubishi
Electric MELSOFT FieldDeviceConfigurator as an affected product with a link to
the Mitsubishi advisory.

Go to Source of this post
Author Of this post: PJCoyle

By admin