433 Central Ave., 4th Floor, St. Petersburg, FL 33701 | info@poseidon-us.com | Office: (813) 563-2652

Siemens SCALANCE X

1. EXECUTIVE SUMMARY

  • CVSS v3 5.4

  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: SCALANCE X
  • Vulnerability: Expected Behavior Violation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to feed data over a mirror port and into the mirrored network.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following SCALANCE products are affected:

  • SCALANCE X-200, all versions;
  • SCALANCE X-300, all versions; and
  • SCALANCE XP/XC/XF-200, all versions older than v4.1

3.2 VULNERABILITY OVERVIEW

3.2.1    EXPECTED BEHAVIOR VIOLATION CWE-440

The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port and into the mirrored network. An attacker could exploit this vulnerability to transmit malicious packets to systems in the mirrored network to influence their configuration and runtime behavior.
This vulnerability could be exploited by an attacker with network access to the traffic-receiving network. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the confidentiality and availability of the traffic-generating network.

CVE-2019-6569 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to NCCIC.

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation that users can implement to reduce the risk associated with this vulnerability in SCALANCE XP/XC/XF-200:

Until a software update can be installed, Siemens recommends users apply defense in depth principles, particularly ensuring that no devices that transmit data back in the mirroring network are operated within the mirrored network.

As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. To operate devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security (https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the product manual recommendations.

Additional information on industrial security by Siemens is available at:

https://www.siemens.com/industrialsecurity

For additional information see Siemens’ security advisory SSA-557804 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm  

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

This vulnerability requires high skill level to exploit. No known public exploits specifically target this vulnerability.

PHOENIX CONTACT RAD-80211-XD

1. EXECUTIVE SUMMARY

  • CVSS v3 9.9

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Phoenix Contact
  • Equipment: RAD-80211-XD
  • Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute system level commands with administrative privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

According to Phoenix Contact, the following products are affected:

  • RAD-80211-XD (2885728), and
  • RAD-80211-XD/HP-BUS (2900047)

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

A WebHMI utility may be exploited by any logged-in user, allowing the execution of arbitrary OS commands on the server. This provides the opportunity for a command injection attack.

CVE-2019-9743 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing, Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Maxim Rupp (RuppIT) working with Phoenix Contact and CERT@VDE reported this vulnerability to NCCIC.

4. MITIGATIONS

Phoenix Contact recommends the following:

Please see VDE-2019-007 at the following location for more details:

https://cert.vde.com/en-us/advisories/vde-2019-007 

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

ENTTEC Lighting Controllers

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: ENTTEC
  • Equipment: Datagate MK2, Storm 24, Pixelator
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could reboot this device allowing a continual denial of service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ENTTEC reports that the vulnerability affects the following products and versions:

  • Datagate MK2 all firmware prior to 70044_update_05032019-482,
  • Storm 24 all firmware prior to 70050_update_05032019-482, and
  • Pixelator all firmware prior to 70060_update_05032019-482

3.2 VULNERABILITY OVERVIEW

3.2.1    MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An unauthenticated user can initiate a remote reboot, which may be used to cause a denial of service condition.

CVE-2019-6542 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Australia

3.4 RESEARCHER

Ankit Anubhav of NewSky Security reported this vulnerability to NCCIC.

4. MITIGATIONS

ENTTEC recommends users upgrade to the March 2019 revB firmware or later which can be downloaded from the following links:

Datagate MK2 70044_update_05032019-482:

https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/advanced-lighting-data-control/

Storm 24 70050_update_05032019-482:

https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/ethernet-to-dmx-converter/

Pixelator 70060_update_05032019-482:

https://www.enttec.com/product/controls/addressable-led-pixel-control/24-port-ethernet-pixel-controller/

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

U.S. Army Special Operations Soldier Killed in Afghanistan

FORT BRAGG, N.C. — Sgt. 1st Class Will Lindsay, 33, of Cortez, Colorado, died March 22, 2019, in Kunduz, Afghanistan, as a result of wounds sustained while engaged in combat operations as part of the Operation Freedom’s Sentinel. Lindsay was assigned to 10th Special Forces Group (Airborne), Fort Carson, Colorado.

Lindsay was born on Aug. 26, 1985, in Cortez, Colorado. He enlisted in the Army on July 7, 2004. Following the completion of One Station Unit Training and Basic Airborne School at Fort Benning, Georgia, Lindsey completed the Special Forces Qualification Course and was assigned to 2nd Bn., 10th SFG (A) in July 2006.

“The 10th SFG (A) Family is deeply saddened at the loss of Sgt. 1st Class Will Lindsay,” said Col. Lawrence Ferguson, 10th SFG (A) commander. “Will was one of the best in our formation, with more than a decade of service in the Regiment at all levels of noncommissioned officer leadership. We will focus now on supporting his Family and honoring his legacy and sacrifice.”

Lindsay’s deployments include five tours to Iraq supporting Operation Iraqi Freedom and Operation New Dawn; to Tajikistan in 2016 supporting the Counter-Narcotics Terrorism mission; and Afghanistan supporting Operation Freedom’s Sentinel.

Lindsay’s military education includes the Basic and Advanced Airborne Schools, Basic and Advanced Military Free Fall Courses, Special Forces Qualification Course, Special Operations Target Interdiction Course, Advanced Special Operation Techniques Level II, Special Forces Senior Leader Course, Special Forces Intelligence Sergeant Course, and Army Special Operations Forces Master Leader Course.

Lindsay’s awards and decorations include the Bronze Star Medal (4 OLC), Purple Heart Medal, Meritorious Service Medal (1 OLC), Valorous Unit Award, Meritorious Unit Award (1 OLC), Army Superior Unit Award, Army Good Conduct Medal (3 OLC), National Defense Service Medal, Global War on Terrorism Service Medal, NCO Professional Development Ribbon (3 OLC), Army Service Ribbon, Overseas Service Ribbon (1 OLC), NATO Medal, Special Forces Tab, Combat Infantryman Badge, Military Free Fall Jumpmaster Badge, Master Parachutist Badge, Chilean Airborne Wings and Senior Instructor Badge.

He is survived by his wife and four daughters.

For questions please contact the USASOC Public Affairs Director, Lt. Col. Loren Bymer, loren.bymer@socom.mil or 910.432.3383.

Medtronic Conexus Radio Frequency Telemetry Protocol

1. EXECUTIVE SUMMARY

  • CVSS v9.3 

  • ATTENTION: Exploitable with adjacent access/low skill level to exploit
  • Vendor: Medtronic
  • Equipment: MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices listed below
  • Vulnerabilities: Improper Access Control, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active. Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products and versions of Medtronic devices utilizing the Conexus telemetry protocol are affected:

  • MyCareLink Monitor, Versions 24950 and 24952,
  • CareLink Monitor, Version 2490C,
  • CareLink 2090 Programmer,
  • Amplia CRT-D (all models),
  • Claria CRT-D (all models),
  • Compia CRT-D (all models),
  • Concerto CRT-D (all models),
  • Concerto II CRT-D (all models),
  • Consulta CRT-D (all models),
  • Evera ICD (all models),
  • Maximo II CRT-D and ICD (all models),
  • Mirro ICD (all models),
  • Nayamed ND ICD (all models),
  • Primo ICD (all models),
  • Protecta ICD and CRT-D (all models),
  • Secura ICD (all models),
  • Virtuoso ICD (all models),
  • Virtuoso II ICD (all models),
  • Visia AF ICD (all models), and
  • Viva CRT-D (all models).

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER ACCESS CONTROL CWE-284

The Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

CVE-2019-6538 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.2.2    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The Conexus telemetry protocol utilized within this ecosystem does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

CVE-2019-6540 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham; and Rik Willems of University Hospital Gasthuisberg Leuven reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval.
Medtronic recommends that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Maintain good physical control over home monitors and programmers.
  • Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.
  • Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
  • Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.
  • Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
  • Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.

Medtronic has released additional patient-focused information at the following location:

https://www.medtronic.com/security

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.
  • Where additional information is needed,  refer to existing cybersecurity in medical device guidance issued by the FDA that can be found at the following location: 

https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited.

160th SOAR named aviation award winners

Media Advisory#: 19-03-001

FORT BRAGG, N.C. (USASOC News Service, March 21, 2019) — Soldiers from the 160th Special Operations Aviation Regiment, U.S. Army Special Operations Aviation Command, were recognized for their contributions to Army aviation in an announcement of the Army Aviation Association of America 2018 award winners.

The awards recognize individuals and units for their outstanding contributions and advancements in innovation throughout the previous year.

Second Battalion, 160th Special Operations Aviation Regiment received the Battalion of the Year award. Sgt. Bradley Galloway was named the 2018 Soldier of the Year and Chief Warrant Officer 3 Patrick Fleming was named the 2018 Aviator of the Year for their individual achievements.

The awards signify the dedication to excellence by the soldiers and the continued efforts within U.S. Army Special Operations Aviation Command to improve the readiness and lethality of its formations.

Winning units and individuals will be presented their awards in a ceremony slated for April 2019.

Editors Notes:

For more information contact the Director of Public Affairs, Lt. Col. Loren Bymer, U.S. Army Special Operations Command Office: (910) 432-3383 BB: (910) 494-1589 loren.bymer@socom.mil

RELATED LINKS

SilkETW: Because Free Telemetry is…Free!

In the following example, we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with this command:

SilkETW.exe -t kernel -kk ImageLoad -ot file -p
C:Usersb33fDesktopmimikatz.json

With data in hand it is easy to sort, grep and filter for the properties we are interested in (Figure 2).


Figure 2: PowerShell event filtering

Yara Integration

SilkETW has a number of command line flags that allow the user to restrict the events that are captured. These include the event name, the process ID, the process name, and the opcode. To further enhance this capability, Yara support is included to filter or tag trace events. While Yara has immediate defensive connotations, the reader is reminded that Yara rules are equally useful to augment research capabilities.

In the following contrived example we will use a Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.

rule Seatbelt_GetTokenInformation
{
    strings:
        $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase
        $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase
        $s3 = /bool(native int,valuetype w+.w+/w+,native int,int32,int32&/
        $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase

    condition:
        all of ($s*) }

We can start collecting .NET ETW data with the following command (note here the “-yo” option indicating that we will only write the Yara matches to file!):

SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y
C:Usersb33fDesktopyara -yo matches -ot file -p C:Usersb33fDesktopyara.json

We can see at runtime that our Yara rule was hit (Figure 3).


Figure 3: Yara rule hit

Note also that we are only capturing a subset of the “Microsoft-Windows-DotNETRuntime” events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.

Roadmap

As outlined in the introduction, SilkETW is currently a research focused data-collection tool with robust yet rudimentary capabilities. Upcoming changes for SilkETW include, but are not limited to:

  • Offer users the option to write trace data to disk as *.etl files.
  • Create a separate instance of SilkETW that operates in a headless mode as a service and reads a configuration file.
  • Take input from the community on any features that would be beneficial to ETW research.

GitHub

SilkETW is currently available for download on GitHub.

Acknowledgement

Special thanks to the whole Advanced Practices team – and Nick Carr in particular – for their indulgence of my antics! Thanks also to Stephen Davis, Anthony Berglund and Kevin Boyd of the FireEye Labs and Data Science teams for their help on reviewing this project and their prior work on pywintrace. If you are looking for Python ETW bindings you can use programmatically, definitely check out that project.

46 – Innovation, Speeding up Acquisition and Space Enterprise Architecture

Listen to Jeff Rowlison discuss the effort to leverage innovations coming out of the commercial satellite communications industry to support the Warfighter. Hear him discuss the Air Force envisioning the Warfighter roaming from MILSATCOM to COMSATCOM seamlessly, taking advantage of commercial options to accomplish Warfighter missions. Influencing the pace of innovation, the pace of contracting and acquisition are leaders such as General Hyten, the Commander of U.S. Strategic Command and General Raymond, the Commander of U.S. Air Force Space Command. Jeff believes that going forward, companies with the capability to adapt their innovative services to fielded technology will be very important, however nothing happens quickly without funding.

Soldier dies during training

1 / 1 Show Caption + Hide Caption – (Photo Credit: U.S. Army photo) VIEW ORIGINAL

FORT BRAGG, N.C. — Sgt. First Class Ethan Carpenter, a reconnaissance specialist assigned to the Regimental Special Troops Battalion, 75th Ranger Regiment, died during routine military free-fall training at a facility in Arizona, March 15, 2019.

A native of Trumansburg, New York, Carpenter entered the Army, August 31, 2007. He completed One Station Unit Training, Basic Airborne Course, and the Ranger Indoctrination Program at Fort Benning, Georgia. He was then assigned to 1st Battalion, 75th Ranger Regiment, Hunter Army Airfield as an assistant machine gunner; he then progressed to team leader and squad leader.

Carpenter deployed to combat eight times, once to Iraq and seven to Afghanistan before he was assigned as a reconnaissance specialist with the Regimental Special Troops Battalion, June 5, 2017.

“Sgt. First Class Ethan Carpenter was an exemplary Soldier and Ranger Leader, and a dedicated husband and father. He did the toughest jobs well and was the consummate team member when it counted the most, both in garrison training and in deployed combat. He represented our Nation’s best, and we’ll miss him dearly,” said Colonel Joseph Ewers, commander, Regimental Special Troops Battalion.

Carpenter’s awards and decorations include the Purple Heart, Joint Service Commendation Medal with OLC, Afghanistan Campaign Medal, Iraq Campaign Medal, Global War on Terrorism Expeditionary Medal, Ranger Tab, Military Freefall Parachutist Badge, Senior Parachutists Badge, Expert Infantryman’s Badge, and Combat Infantryman’s Badge.

Rangers Lead The Way

RELATED LINKS

AVEVA InduSoft Web Studio and InTouch Edge HMI

1. EXECUTIVE SUMMARY

  • CVSS v3 6.5

  • ATTENTION: Low skill level to exploit
  • Vendor: AVEVA
  • Equipment: InduSoft Web Studio, InTouch Edge HMI
  • Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow execution of unauthorized code or commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA InduSoft Web Studio and InTouch Edge HMI are affected by a vulnerability in a third-party component, Gemalto Sentinel UltraPro encryption keys.

  • InduSoft Web Studio versions prior to v8.1 SP3
  • InTouch Edge HMI versions prior to 2017 Update 3

3.2 VULNERABILITY OVERVIEW

3.2.1    UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The uncontrolled search path element vulnerability allows an attacker to load and execute a malicious REVERB1 dynamic link library (dll) in third-party component Sentinel UltraPro.

CVE-2019-6534 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

ADLab of Venustech reported this vulnerability to NCCIC.

4. MITIGATIONS

AVEVA recommends that users upgrade to the latest versions located the following links:

InduSoft Web Studio v8.1 SP3

http://download.indusoft.com/81.3.0/IWS81.3.0.zip

InTouch Edge HMI 2017 Update 3

https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52354 (login required)

Users who are unable to upgrade to the latest version of InduSoft Web Studio or InTouch Edge HMI, can alternatively apply Security Update LFSec131:

http://www.indusoft.com/download/patches/security/LFSec131.zip 

https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52410 (login required)

For addition information please see AVEVA Security Bulletin LFSEC00000131:

https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec131.pdf

NCCIC recommends users take the following measures to protect themselves from social engineering attacks:

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.