Search results

Tuesday, February 5, 2019 @ 10:02 PM gHale

Rockwell Automation recommends affected users of its EtherNet/IP Web Server Modules disable the SNMP service if not in use to mitigate an improper input validation vulnerability, according to a report from NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by Rockwell Automation working with Tenable, could allow a remote attacker to deny communication with Simple Network Management Protocol (SNMP) service.

RELATED STORIES
InduSoft Web Studio, InTouch Edge HMI Fixed
IDenticard Updating PremiSys Holes
Schneider Fixes EVLink Parking Holes
Yokogawa has Fix for License Manager Service

The following versions of EtherNet/IP web server module, a web server module, suffer from the issue:
• 1756-EWEB (includes 1756-EWEBK) Version 5.001 and earlier,
• CompactLogix 1768-EWEB Version 2.005 and earlier

In the vulnerability, a remote attacker could send a crafted UDP packet to the SNMP service causing a denial-of-service condition to occur until the affected product is restarted.
CVE-2018-19016 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees use mainly in the critical manufacturing sector. It also see action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Rockwell Automation recommends affected users disable the SNMP service if not in use.
For more information refer to the Rockwell Automation security advisory (login required).

Tuesday, February 5, 2019 @ 10:02 PM gHale

AVEVA Software, LLC (AVEVA) suggests users to upgrade to the latest release to mitigate a missing authentication for critical function and resource injection vulnerabilities in its InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition), according to a report with NCCIC.

Successful exploitation of these remotely exploitable vulnerabilities, which AVEVA self-reported, could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.

RELATED STORIES
IDenticard Updating PremiSys Holes
Schneider Fixes EVLink Parking Holes
Yokogawa has Fix for License Manager Service
AVEVA Fixes Wonderware System Platform Hole

The following versions of AVEVA products suffer from the issues:
• InduSoft Web Studio prior to Version 8.1 SP3
• InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update

In one vulnerability, code is executed under the program runtime privileges, which could lead to the compromise of the machine.

CVE-2019-6543 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, an unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.

CVE-2019-6545 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The products see use mainly in the chemical, commercial facilities, critical manufacturing, energy, food and agriculture, transportation systems, and water and wastewater sectors. They also see action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

AVEVA recommends affected users upgrade to the latest version of affected products. The following security updates address the vulnerabilities outlined in this advisory. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below.

The latest version of InduSoft Web Studio.

The latest version of InTouch Edge HMI can be found at (login required)

Click here for information on how to reach AVEVA support for a specific product for AVEVA Software Global Customer Support and InduSoft Support.

For the latest security information and security updates, please visit AVEVA’s Security Central (login required) and InduSoft Security Updates.

AVEVA published Security Bulletin LFSEC00000133 on their website.

Thursday, January 31, 2019 @ 03:01 PM gHale

IDenticard released a software update to mitigate multiple vulnerabilities in its PremiSys access control systems, according to NCCIC.

The vulnerabilities are a use of hard-coded credentials, use of hard-coded password, and an inadequate encryption strength.

RELATED STORIES
Schneider Fixes EVLink Parking Holes
Yokogawa has Fix for License Manager Service
AVEVA Fixes Wonderware System Platform Hole
Mitsubishi Fixes MELSEC-Q Series PLCs

Successful exploitation of these remotely exploitable vulnerabilities could allow an attacker to view sensitive information via backups, obtain access to credentials, and/or obtain full access to the system with admin privileges.

Vulnerability details have been publicly disclosed.

An access control system, PremiSys all versions prior to 4.1 suffer from the vulnerabilities, discovered by Jimi Sebree working with Tenable.

In one vulnerability, the system contains hard-coded credentials that allow admin access to the entire service via the PremiSys WCF Service endpoint, which may allow complete control with admin privileges.

CVE-2019-3906 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, the system stores user credentials and other sensitive information with a known weak encryption method, which may allow decryption and exposure of sensitive data.

CVE-2019-3907 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

Also, the system stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable, which may allow access to the information they contain.

CVE-2019-3908 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use in the commercial facilities, government facilities, healthcare and public health, and water and wastewater systems sectors. It also sees action on a global basis.

An attacker with low skill level could leverage the vulnerabilities.

IDenticard released updated software, Version 4.1, to address the hard-coded credential vulnerability (CVE-2019-3906). Inadequate encryption strength (CVE-2019-3907) and use of hard-coded password (CVE-2019-3908) are in process of being fixed with an update expected in February. These software updates will be provided free of charge. Additional information can be obtained by contacting the IDenticard Technical Support Team at (800) 220-8096.

IDenticard also recommends users change the Service Database default username and password.

Thursday, January 31, 2019 @ 02:01 PM gHale

Schneider Electric has a recommendation and an update to handle use of hard-coded credentials, code injection, and SQL injection vulnerabilities in its EVLink Parking, according to a report with NCCIC.

Successful exploitation of these remotely exploitable vulnerabilities could allow an attacker to stop the device and prevent charging, execute arbitrary commands, and access the web interface with full privileges.

RELATED STORIES
Yokogawa has Fix for License Manager Service
AVEVA Fixes Wonderware System Platform Hole
Mitsubishi Fixes MELSEC-Q Series PLCs
BD has Mitigation Plan for FACSLyric Hole

An electric vehicle charging station, EVLink Parking Versions 3.2.0-12_v1 and prior suffer from the issues, discovered by Vladimir Kononovich and Vyacheslav Moskvin of Positive Technologies.

A hard-coded credentials vulnerability exists that could enable an attacker to gain access to the device.

CVE-2018-7800 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8 .

In addition, a code injection vulnerability exists that could allow remote code execution with maximum privileges.

CVE-2018-7801 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

Also, a SQL injection vulnerability exists that could give an attacker access to the web interface with full privileges.

CVE-2018-7802 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.

The product sees use mainly in the transportation sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Schneider Electric recommends users setup a firewall to restrict remote access to the charging stations by unauthorized users. A software update is also available for download to mitigate these vulnerabilities.

For more information see Schneider Electric’s security notification.

Schneider Electric also recommends the following cybersecurity best practices:
• Locate control and safety system networks and remote devices behind firewalls, and isolate them from the business network.
• Physical controls should be in place so that no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.
• All controllers should reside in locked cabinets and never be left in the “Program” mode.
• All programming software should be kept in locked cabinets and should never be connected to any network other than the network for the devices that it is intended.
• All methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. should be scanned before use in the terminals or any node connected to these networks.
• Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Tuesday, January 29, 2019 @ 07:01 PM gHale

Yokogawa’s latest release should handle an unrestricted upload of files with dangerous type vulnerability in its License Manager Service, according to a report with NCCIC.

Successful exploitation of this vulnerability, which Kaspersky Lab reported to Yokogawa, could allow an attacker to remotely upload files, allowing execution of arbitrary code.

RELATED STORIES
AVEVA Fixes Wonderware System Platform Hole
Mitsubishi Fixes MELSEC-Q Series PLCs
BD has Mitigation Plan for FACSLyric Hole
Stryker Updates Medical Bed Software

The following equipment and versions utilizing the Yokogawa License Manager Service suffer from the remotely exploitable vulnerability:
• CENTUM VP (R5.01.00 – R6.06.00)
• CENTUM VP Entry Class (R5.01.00 – R6.06.00)
• ProSafe-RS (R3.01.00 – R4.04.00)
• PRM (R4.01.00 – R4.02.00)
• B/M9000 VP (R7.01.01 – R8.02.03)

In the vulnerability, multiple Yokogawa products utilize a service intended to verify the validity of licensed products being utilized. The service running on affected products does not properly restrict the upload of potentially malicious files, which could result in execution of arbitrary code.

CVE-2019-5909 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

The products see use mainly in the critical manufacturing, energy, and food and agriculture sectors. They also see action on a global basis.

Yokogawa recommends users of affected devices and versions update to the latest available release. Details about the products, affected revisions, and suggested mitigations are available in the Yokogawa Security Advisory Report “YSAR-198-0001: Vulnerability of access control in License Manager Service of Yokogawa products.” Click here to view the advisory.

For questions related to this report and details regarding how to update to the newest revision, visit the Yokogawa security website (registration required).

Thursday, January 10, 2019 @ 03:01 PM gHale

Emerson has a patch to handle an authentication bypass vulnerability in its DeltaV Distributed Control System workstations, according to a report with NCCIC.

Successful exploitation of this vulnerability could allow an attacker to shut down a service, resulting in a denial of service.

RELATED STORIES
Schneider Clears IIoT Monitor Holes
Schneider Fixes Zelio Soft 2 Hole
Hetronic Firmware Fix for Nova-M
Yokogawa Update Fixes Driver Vulnerability

DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior suffer from the vulnerability, discovered by Alexander Nochvay of Kaspersky Lab.

A specially crafted script could bypass the authentication of a maintenance port of a service, which may allow an attacker to cause a denial of service.

CVE-2018-19021 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

The product sees use in the chemical, critical manufacturing, and energy sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network. However, an attacker with low skill level could leverage the vulnerability.

Emerson recommends users to patch affected products listed below:
• DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, and R6
Software patches are available to users with access to the Emerson Guardian Support Portal.

For more information, refer to the article for this vulnerability on the Emerson website.

To limit exposure to these and other vulnerabilities, Emerson recommends DeltaV systems and related components be deployed and configured as described in the DeltaV Security Manual which can be found in Emerson’s Guardian Support Portal.

Tuesday, January 8, 2019 @ 04:01 PM gHale

Schneider Electric has a migration plan to handle path traversal, unrestricted upload of file with dangerous type, and XXE vulnerabilities in its IIoT Monitor, according to a report with NCCIC.

Successful exploitation of these remotely exploitable vulnerabilities could allow a remote attacker to access files available to system users, arbitrarily upload and execute malicious files, and embed incorrect documents into the system output to expose restricted information.

RELATED STORIES
Schneider Fixes Zelio Soft 2 Hole
Hetronic Firmware Fix for Nova-M
Yokogawa Update Fixes Driver Vulnerability
Schneider Fixes Pro-face GP-Pro EX Hole

A monitoring platform, IIoT Monitor Versions 3.1.38 and prior suffer from the vulnerabilities, discovered by Trend Micro’s Zero Day Initiative working with rgod.

In one issue, a path traversal vulnerability exists, which may allow access to files available to SYSTEM user.

CVE-2018-7835 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, an unrestricted upload of a file with dangerous type vulnerability exists in the IIoT Monitor software that could allow the uploading and execution of malicious files.

CVE-2018-7836 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.3.

Also, there is an XXE vulnerability in the IIoT Monitor software that may allow the software to resolve documents outside of the intended sphere of control, causing the software to embed incorrect documents into its output and expose restricted information.

CVE-2018-7837 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use mainly in the commercial facilities, critical manufacturing, energy, and transportation services sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Schneider Electric recommends affected users contact Schneider Electric customer support for assistance in migrating to the latest software to resolve the issues.

Schneider Electric also released a security notification.

Schneider Electric recommends implementing industry cybersecurity best practices, such as:
• Locate control and safety system networks and remote devices behind firewalls, and isolate them from the business network.
• Physical controls should be in place so no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.
• All controllers should reside in locked cabinets and never be left in the “Program” mode.
• All programming software should be kept in locked cabinets and should never be connected to any network other than the network for the devices that it is intended.
• All methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. should be scanned before use in the terminals or any node connected to these networks.
• Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Tuesday, January 8, 2019 @ 04:01 PM gHale

Schneider Electric has a new version of software to fix an use after free vulnerability in its Zelio Soft 2, according to a report with NCCIC.

Successful exploitation of this vulnerability could allow for remote code execution when opening a specially crafted project file.

RELATED STORIES
Hetronic Firmware Fix for Nova-M
Yokogawa Update Fixes Driver Vulnerability
Schneider Fixes Pro-face GP-Pro EX Hole
Rockwell Fixes FactoryTalk Services Platform

A programing platform, Zelio Soft 2 Versions 5.1 and prior suffer from the vulnerability, discovered by Trend Micro’s Zero Day Initiative working with rgod and mdm of 9SG Security Team.

In the vulnerability, opening a specially crafted Zelio Soft project file may exploit a use after free vulnerability, which may allow remote code execution.

CVE-2018-7817 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

Users can now download Schneider Electric’s Version 5.2 of the affected software.

Schneider Electric has also released a security notification.

Thursday, January 3, 2019 @ 04:01 PM gHale

Hetronic has new firmware to handle an authentication bypass by capture replay vulnerability in its Nova-M, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by Jonathan Andersson, Philippe Z Lin, Akira Urano, Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler working with Trend Micro’s Zero Day Initiative, could allow unauthorized users to view commands, replay commands, control the device, or stop the device from running.

RELATED STORIES
Yokogawa Update Fixes Driver Vulnerability
Schneider Fixes Pro-face GP-Pro EX Hole
Rockwell Fixes FactoryTalk Services Platform
Schneider Clears EcoStruxure Hole

The following versions of Hetronic remote control transmitters and receivers suffer from the vulnerability:
Transmitters:
• Nova-M: All versions prior to r161

Receivers:
• ES-CAN-HL: All versions prior to Main r1864, Estop_v24
• BMS-HL: All versions prior to Main r1175, Estop_v24
• MLC: All versions prior to Main r1600, Estop_v24
• DC Mobile: All versions prior to Main r515, Estop_v24

In the vulnerability, these devices use fixed codes that are reproducible by sniffing and re-transmission. This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent “stop” state.

CVE-2018-19023 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.

The product sees use in multiple manufacturing sectors and it sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Hetronic recommends all Nova-M users update their radio transmitters to firmware version r161 and their receivers to the following versions:
• ES-CAN-HL: Main r1864, Estop_v24
• BMS-HL: Main r1175, Estop_v24
• MLC: Main r1600, Estop_v24
• DC Mobile: Main r515, Estop_v24

The new firmware patches can be obtained free of charge by signing in to the Hetronic website portal or by bringing the transmitter and receiver to any Hetronic service center. Click here for a list of service centers.

Thursday, January 3, 2019 @ 03:01 PM gHale

Yokogawa has an update to handle a resource management error vulnerability in its Vnet/IP Open Communication Driver, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, which JPCERT coordinated with Yokogawa, could allow an attacker to cause Vnet/IP network communications to controlled devices to become unavailable.

RELATED STORIES
Schneider Fixes Pro-face GP-Pro EX Hole
Rockwell Fixes FactoryTalk Services Platform
Schneider Clears EcoStruxure Hole
Vulnerability in Horner Automation Cscape

The following equipment and versions utilizing the Vnet/IP Open Communication Driver suffer from the issue:
• CENTUM CS 3000 (R3.05.00 – R3.09.50)
• CENTUM CS 3000 Entry Class (R3.05.00 – R3.09.50)
• CENTUM VP (R4.01.00 – R6.03.10)
• CENTUM VP Entry Class (R4.01.00 – R6.03.10)
• Exaopc (R3.10.00 – R3.75.00)
• PRM (R2.06.00 – R3.31.00)
• ProSafe-RS (R1.02.00 – R4.02.00)
• FAST/TOOLS (R9.02.00 – R10.02.00)
• B/M9000 VP (R6.03.01 – R8.01.90)

In the vulnerability, the Vnet/IP Open Communication Driver has a vulnerability that could allow an attacker to stop the communications functionality of the Vnet/IP Open Communication Driver, resulting in a denial of service.

CVE-2018-16196 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use in the critical manufacturing, energy, and food and agriculture sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

Yokogawa recommends users of affected devices and versions update to the latest available release.

Details about the products, affected revisions, and suggested mitigations are available in the Yokogawa Security Advisory Report YSAR-18-0008: Denial of service (DoS) vulnerability in Vnet/IP Open Communication Driver.

Click on the Yokogawa Security Advisory Report YSAR-18-0008 for more information.

For questions related to this report and details regarding how to update to the newest revision, please visit the Yokogawa security website (registration required).