433 Central Ave., 4th Floor, St. Petersburg, FL 33701 | info@poseidon-us.com | Office: (727) 493-2351

Rockwell Automation PowerFlex 525 AC Drives

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Rockwell Automation
  • Equipment: PowerFlex 525 AC Drives
  • Vulnerability: Resource Exhaustion

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in resource exhaustion, denial of service, and/or memory corruption.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerFlex 525, an AC drive, are affected:

  • PowerFlex 525 AC Drives with embedded EtherNet/IP and Safety Versions 5.001 and earlier.

3.2 VULNERABILITY OVERVIEW

3.2.1    UNCONTROLLED RESOURCE CONSUMPTION (‘RESOURCE EXHAUSTION’) CWE-400

A remote, unauthenticated threat actor can repeatedly send specific CIP packets to an affected PowerFlex 525 drive, which may allow disruption of the availability of the device. 

CVE-2018-19282 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Nicolas Merle of Applied Risk reported this vulnerability to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation has released new firmware to address the vulnerability. Download the latest version of the firmware from:

https://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=25B&crumb=112

Rockwell Automation recommends the following general security guidelines:

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure CIP messages from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818, using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270 (login required).
  • If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
  • Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet or the business network.
  • When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Rockwell Automation has released a security advisory regarding this vulnerability, which can be found on its website at the following location (login required):  
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1082684

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Siemens SCALANCE X

1. EXECUTIVE SUMMARY

  • CVSS v3 5.4

  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: SCALANCE X
  • Vulnerability: Expected Behavior Violation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to feed data over a mirror port and into the mirrored network.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following SCALANCE products are affected:

  • SCALANCE X-200, all versions;
  • SCALANCE X-300, all versions; and
  • SCALANCE XP/XC/XF-200, all versions older than v4.1

3.2 VULNERABILITY OVERVIEW

3.2.1    EXPECTED BEHAVIOR VIOLATION CWE-440

The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port and into the mirrored network. An attacker could exploit this vulnerability to transmit malicious packets to systems in the mirrored network to influence their configuration and runtime behavior.
This vulnerability could be exploited by an attacker with network access to the traffic-receiving network. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the confidentiality and availability of the traffic-generating network.

CVE-2019-6569 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to NCCIC.

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation that users can implement to reduce the risk associated with this vulnerability in SCALANCE XP/XC/XF-200:

Until a software update can be installed, Siemens recommends users apply defense in depth principles, particularly ensuring that no devices that transmit data back in the mirroring network are operated within the mirrored network.

As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. To operate devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security (https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the product manual recommendations.

Additional information on industrial security by Siemens is available at:

https://www.siemens.com/industrialsecurity

For additional information see Siemens’ security advisory SSA-557804 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm  

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

This vulnerability requires high skill level to exploit. No known public exploits specifically target this vulnerability.

PHOENIX CONTACT RAD-80211-XD

1. EXECUTIVE SUMMARY

  • CVSS v3 9.9

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Phoenix Contact
  • Equipment: RAD-80211-XD
  • Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute system level commands with administrative privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

According to Phoenix Contact, the following products are affected:

  • RAD-80211-XD (2885728), and
  • RAD-80211-XD/HP-BUS (2900047)

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

A WebHMI utility may be exploited by any logged-in user, allowing the execution of arbitrary OS commands on the server. This provides the opportunity for a command injection attack.

CVE-2019-9743 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing, Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Maxim Rupp (RuppIT) working with Phoenix Contact and CERT@VDE reported this vulnerability to NCCIC.

4. MITIGATIONS

Phoenix Contact recommends the following:

Please see VDE-2019-007 at the following location for more details:

https://cert.vde.com/en-us/advisories/vde-2019-007 

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

ENTTEC Lighting Controllers

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: ENTTEC
  • Equipment: Datagate MK2, Storm 24, Pixelator
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could reboot this device allowing a continual denial of service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ENTTEC reports that the vulnerability affects the following products and versions:

  • Datagate MK2 all firmware prior to 70044_update_05032019-482,
  • Storm 24 all firmware prior to 70050_update_05032019-482, and
  • Pixelator all firmware prior to 70060_update_05032019-482

3.2 VULNERABILITY OVERVIEW

3.2.1    MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An unauthenticated user can initiate a remote reboot, which may be used to cause a denial of service condition.

CVE-2019-6542 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Australia

3.4 RESEARCHER

Ankit Anubhav of NewSky Security reported this vulnerability to NCCIC.

4. MITIGATIONS

ENTTEC recommends users upgrade to the March 2019 revB firmware or later which can be downloaded from the following links:

Datagate MK2 70044_update_05032019-482:

https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/advanced-lighting-data-control/

Storm 24 70050_update_05032019-482:

https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/ethernet-to-dmx-converter/

Pixelator 70060_update_05032019-482:

https://www.enttec.com/product/controls/addressable-led-pixel-control/24-port-ethernet-pixel-controller/

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Medtronic Conexus Radio Frequency Telemetry Protocol

1. EXECUTIVE SUMMARY

  • CVSS v9.3 

  • ATTENTION: Exploitable with adjacent access/low skill level to exploit
  • Vendor: Medtronic
  • Equipment: MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices listed below
  • Vulnerabilities: Improper Access Control, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active. Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products and versions of Medtronic devices utilizing the Conexus telemetry protocol are affected:

  • MyCareLink Monitor, Versions 24950 and 24952,
  • CareLink Monitor, Version 2490C,
  • CareLink 2090 Programmer,
  • Amplia CRT-D (all models),
  • Claria CRT-D (all models),
  • Compia CRT-D (all models),
  • Concerto CRT-D (all models),
  • Concerto II CRT-D (all models),
  • Consulta CRT-D (all models),
  • Evera ICD (all models),
  • Maximo II CRT-D and ICD (all models),
  • Mirro ICD (all models),
  • Nayamed ND ICD (all models),
  • Primo ICD (all models),
  • Protecta ICD and CRT-D (all models),
  • Secura ICD (all models),
  • Virtuoso ICD (all models),
  • Virtuoso II ICD (all models),
  • Visia AF ICD (all models), and
  • Viva CRT-D (all models).

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER ACCESS CONTROL CWE-284

The Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

CVE-2019-6538 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.2.2    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The Conexus telemetry protocol utilized within this ecosystem does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

CVE-2019-6540 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham; and Rik Willems of University Hospital Gasthuisberg Leuven reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval.
Medtronic recommends that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Maintain good physical control over home monitors and programmers.
  • Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.
  • Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
  • Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.
  • Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
  • Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.

Medtronic has released additional patient-focused information at the following location:

https://www.medtronic.com/security

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.
  • Where additional information is needed,  refer to existing cybersecurity in medical device guidance issued by the FDA that can be found at the following location: 

https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited.

AVEVA InduSoft Web Studio and InTouch Edge HMI

1. EXECUTIVE SUMMARY

  • CVSS v3 6.5

  • ATTENTION: Low skill level to exploit
  • Vendor: AVEVA
  • Equipment: InduSoft Web Studio, InTouch Edge HMI
  • Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow execution of unauthorized code or commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA InduSoft Web Studio and InTouch Edge HMI are affected by a vulnerability in a third-party component, Gemalto Sentinel UltraPro encryption keys.

  • InduSoft Web Studio versions prior to v8.1 SP3
  • InTouch Edge HMI versions prior to 2017 Update 3

3.2 VULNERABILITY OVERVIEW

3.2.1    UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The uncontrolled search path element vulnerability allows an attacker to load and execute a malicious REVERB1 dynamic link library (dll) in third-party component Sentinel UltraPro.

CVE-2019-6534 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

ADLab of Venustech reported this vulnerability to NCCIC.

4. MITIGATIONS

AVEVA recommends that users upgrade to the latest versions located the following links:

InduSoft Web Studio v8.1 SP3

http://download.indusoft.com/81.3.0/IWS81.3.0.zip

InTouch Edge HMI 2017 Update 3

https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52354 (login required)

Users who are unable to upgrade to the latest version of InduSoft Web Studio or InTouch Edge HMI, can alternatively apply Security Update LFSec131:

http://www.indusoft.com/download/patches/security/LFSec131.zip 

https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52410 (login required)

For addition information please see AVEVA Security Bulletin LFSEC00000131:

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec131.pdf

NCCIC recommends users take the following measures to protect themselves from social engineering attacks:

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

Columbia Weather Systems MicroServer

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Columbia Weather Systems, Inc.
  • Equipment: Weather MicroServer
  • Vulnerabilities: Cross-site Scripting, Path Traversal, Improper Authentication, Improper Input Validation, Code Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow disclosure of data, cause a denial-of-service condition, and allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Weather MicroServer, a weather monitoring system, are affected:

  • Weather MicroServer firmware Version MS_2.6.9900 and prior.

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A cross-site scripting error exists that does not properly validate input, which may allow arbitrary web script to be executed.

CVE-2018-18875 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.2    IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A path traversal vulnerability exists that could allow an attacker read access to files within the directory structure of the target device.

CVE-2018-18876 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.3    IMPROPER AUTHENTICATION CWE-287

An improper authentication vulnerability exists that could allow a possible authentication bypass, allowing an attacker to manipulate the device and cause a denial-of-service condition.

CVE-2018-18877 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4    IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists allowing an attacker to craft the input in a form that is not expected by the rest of the application, causing a denial-of-service condition and the device to become unavailable.

CVE-2018-18878 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5    IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

A code injection vulnerability exists that could allow remote code execution.

CVE-2018-18879 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6    IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A cross-site scripting error exists that does not properly validate input, which may allow arbitrary web script to be executed.

CVE-2018-18880 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Information Technology
  • COUNTRIES/AREAS DEPLOYED: United States
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

John Elder and Tom Westenberg of Applied Risk reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Columbia Weather Systems has released a firmware update, Version: MS_2.7.9973, that addresses all the above vulnerabilities found on the Weather MicroServer.

To upgrade Weather MicroServer, please contact Columbia Weather Systems: 

Phone: 503-629-0887 or email: support@columbiaweather.com

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities

LCDS LAquis SCADA ELS Files

1. EXECUTIVE SUMMARY

  • CVSS v3 7.8

  • ATTENTION: Low skill level to exploit
  • Vendor: LCDS—Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
  • Equipment: LAquis SCADA
  • Vulnerability: Out-of-Bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of LAquis SCADA, an industrial automation software, is affected:

  • SCADA 4.1.0.4150

3.2 VULNERABILITY OVERVIEW

3.2.1    OUT-OF-BOUNDS WRITE CWE-787

Opening specially crafted ELS file may result in a write past the end of an allocated buffer, which may allow an attacker to execute remote code in the context of the current process.

CVE-2019-6536 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: South America
  • COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER

Mat Powell, working with Zero Day Initiative, reported this vulnerability to NCCIC.

4. MITIGATIONS

LCDS recommends users update to Version 4.3.1.71, which can be found at the following location:

https://laquisscada.com

NCCIC recommends that users take the following measures to protect themselves from social engineering attacks: 

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

This vulnerability is exploitable locally. No known public exploits specifically target this vulnerability.

Gemalto Sentinel UltraPro

1. EXECUTIVE SUMMARY

  • CVSS v3 6.5

  • ATTENTION: Low skill level to exploit
  • Vendor: Gemalto
  • Equipment: Sentinel UltraPro
  • Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow execution of unauthorized code or commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Sentinel UltraPro encryption keys are affected:

  • Sentinel UltraPro Client Library ux32w.dll Versions 1.3.0, 1.3.1, and 1.3.2

3.2 VULNERABILITY OVERVIEW

3.2.1    UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The uncontrolled search path element vulnerability enables an attacker to load and execute a malicious file from the ux32w.dll in Sentinel UltraPro.

CVE-2019-6534 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Financial Services, Government Facilities, Healthcare and Public Health, Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER

ADLab of Venustech reported this vulnerability to NCCIC.

4. MITIGATIONS

Users who have Sentinel UltraPro Client Library ux32w.versions v1.3.0, v1.3.1 or v1.3.2 are advised to upgrade to Sentinel UtraPro v1.3.3 in order to enable this security update. The security update is found at the following link:

https://supportportal.gemalto.com/csm?id=kb_article_view&sysparm_article=KB0017694

For additional information, please see Gemalto’s security bulletin at:

https://sentinel.gemalto.com/technical-support/security-updates-sm/

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.