Visonic PowerLink2 Vulnerabilities

OVERVIEW

Independent researcher Aditya K. Sood has identified cross-site scripting and source code disclosure vulnerabilities in Visonic’s PowerLink2 module. Visonic has produced an updated version to mitigate these vulnerabilities.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

The following PowerLink2 versions are affected:

  • PowerLink2, all versions prior to October 2016 firmware release.

IMPACT

Successful exploitation of these vulnerabilities allows the attacker to gather information on how server side images are generated. Careful analysis combined with some additional information (from testing the product), allows the attacker to download images from the server.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Visonic is an Israel-based company and subsidiary of Tyco, that maintains offices in several countries around the world, including the US, UK, Denmark, Poland, Spain, Germany, Singapore, China, and Australia.

The affected product, PowerLink2, provides web interface to view and control an intrusion security system. According to Visonic, PowerLink2 modules are deployed in the Commercial Facilities sector. Visonic estimates that this product is used primarily in the United States and Europe with a small percentage in Asia.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

CROSS-SITE SCRIPTING

User controlled input is not neutralized prior to being placed in web page output.

CVE-2016-5811 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

INFORMATION EXPOSURE

When a specific URL to an image is accessed, the downloaded image carries with it source code used in the web server.

CVE-2016-5813 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with low skill would be able to exploit these vulnerabilities.

MITIGATION

Visonic recommends affected users employ the following mitigations:

  • For products that are EOL (end of life), contact the alarm service provider to replace/upgrade the unit to PowerLink3.
  • For products still under production, request that the alarm service provider remotely update the unit with the new firmware version released October 2016.

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Moxa DACenter Vulnerabilities

OVERVIEW

Independent researcher Zhou Yu has identified denial-of-service and unquoted service path privilege escalation vulnerabilities in Moxa’s DACenter application. Moxa has produced a patch to mitigate these vulnerabilities. Zhou Yu has tested the patch to validate that it resolves the vulnerabilities.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

Moxa reports that the vulnerability affects the following versions of DACenter:

  • Versions 1.4 and older.

IMPACT

The vulnerabilities may render the DACenter application unavailable and also allow an authorized but nonprivileged local user to execute arbitrary code with privileges on the system.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, Russia, and Brazil.

The affected product, DACenter, provides a standard OPC interface that interacts with Moxa Active OPC Server for real-time data collection. According to Moxa, DACenter is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater Systems, and others. Moxa estimates that this product is used primarily in the United States and Europe with a small percentage in Asia.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

RESOURCE EXHAUSTION

A specially crafted project file may cause the program to crash.

CVE-2016-9354 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

UNQUOTED SEARCH PATH OR ELEMENT

The application may suffer from an unquoted search path issue.

CVE-2016-9356 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

Moxa recommends replacing existing DACenter installations with the new software MX-AOPC UA suite. DACenter is nearing end-of-life by the end of 2016, and no further updates will be issued.

For existing DACenter installations, Moxa recommends contacting the Moxa Technical Support team or visiting the Moxa technical support web page at:

http://www.moxa.com/support

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities

OVERVIEW

Researchers axt and Ariele Caltabiano each working with Trend Micro’s Zero Day Initiative (ZDI) have identified vulnerabilities in Delta Electronics’ WPLSoft, ISPSoft, and PMSoft software applications. Delta Electronics has produced new software versions to mitigate these vulnerabilities.

AFFECTED PRODUCTS

The following Delta Electronics products and versions are affected:

  • WPLSoft, Versions prior to V2.42.11,
  • ISPSoft, Versions prior to 3.02.11, and
  • PMSoft, Versions prior to2.10.10

IMPACT

Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Delta Electronics is a Taiwan-based company that maintains offices in several countries around the world, including China, Japan, South Korea, Singapore, India, Brazil, and the US.

The affected products, WPLSoft, ISPSoft, and PMSoft, are platforms for editing the control software of Delta DVP series motion controlling programmable logic controllers (PLCs). According to Delta Electronics, these platforms are used to prepare process control systems (PCSs) for deployment across a variety of industrial automation environments within the Critical Manufacturing Sector. Delta Electronics estimates that these products are used primarily in ASIA and Europe with a small percentage in the US.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

HEAP-BASED BUFFER OVERFLOW

There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service.

CVE-2016-5805 has been assigned to these vulnerabilities. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

OUT-OF-BOUNDS WRITE

Multiple instances of out-of-bounds conditions may allow malicious files to be read and executed by the affected software.

CVE-2016-5802 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities are not exploitable remotely and cannot be exploited without user interaction. These exploits are triggered when a local user runs the vulnerable application and loads malformed files with .dvp or other extensions.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities in these products.

DIFFICULTY

Crafting a working exploit for these vulnerabilities would be difficult. Social engineering is required to convince the user to accept the malformed file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.

MITIGATION

Delta Electronics recommends affected users update their software to the latest versions ISPSoft V3.02.11, PMSoft V2.10.10, and WPLSoft V2.42.11 that are available through the following links:

  • ISPSoft V3.02.11

http://www.deltaww.com/filecenter/Products/download/06/060301/Software/DELTA_IA-PLC_ISPSoft-V3-02-11_SW_20161115.zip

  • PMSoft V2.10.10

http://www.deltaww.com/filecenter/Products/download/06/060301/Software/DELTA_IA-PLC_PMSoft-V2-10-10_SW_20161115.zip

  • WPLSoft V2.42.11

http://www.deltaww.com/filecenter/Products/download/06/060301/Software/DELTA_IA-PLC_WPLSoft-V2-42-11_SW_20161115.zip

ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability

OVERVIEW

Mingzheng Li from Acorn Network Security Lab has identified an ActiveX vulnerability in Siemens’ SIMATIC WinCC and SIMATIC PCS 7. Siemens has produced a new version to mitigate this vulnerability.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following versions of SIMATIC:

  • SIMATIC WinCC: All versions prior to SIMATIC WinCC V7.2, and
  • SIMATIC PCS 7: All versions prior to SIMATIC PCS 7 V8.0 SP1

IMPACT

Exploitation of this vulnerability may allow an attacker to crash the component or leak application memory content.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Siemens is a multinational company headquartered in Munich, Germany.

The affected products are: SIMATIC WinCC, a supervisory control and data acquisition (SCADA) system; and SIMATIC PCS7, a distributed control system (DCS) integrating SIMATIC WinCC. These products are deployed across several sectors including Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems. Siemens estimates that these products are used worldwide.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER

An attacker could crash an ActiveX component or leak parts of the application memory if a user is tricked into clicking on a malicious link under certain conditions. An attacker must have control over a web site that is allowed to execute ActiveX components.

CVE-2016-9160 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L).

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered when a local user is social engineered into clicking on a malicious link.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to click on the malicious link.

MITIGATION

Siemens provides SIMATIC WinCC Version 7.2 and newer, and PCS7 Version 8.0 SP2 and newer, which fix the vulnerability. Users can obtain these newer versions by contacting the local Siemens representative or customer support at:

https://w3.siemens.com/aspa_app/

Until users can upgrade to the new versions, Siemens recommends the following mitigations to reduce the risk:

  • Only allow execution of ActiveX components on trusted sites.
  • Apply defense-in-depth concepts.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-693129 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm

Siemens advises configuring the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.

https://www.siemens.com/cert/operational-guidelines-industrial-security

ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Siemens S7-300/400 PLC Vulnerabilities

OVERVIEW

Zhu WenZhe from Beijing Acorn Network Technology has identified password leak and denial-of-service vulnerabilities in Siemens’ S7-300 and S7-400 programmable logic controllers. Siemens has released Security Advisory SSA-731239 with advice to mitigate these vulnerabilities.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

Siemens reports that the vulnerabilities affect the following versions of SIMATIC PLC family:

  • SIMATIC S7-300 CPU family: All versions.
  • SIMATIC S7-400 CPU family: All versions.

IMPACT

Successful exploitation of these vulnerabilities could lead to a denial-of-service condition or result in credential disclosure.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Siemens is a multinational company headquartered in Munich, Germany.

The affected products, SIMATIC S7-300 and S7-400 PLC family, have been designed for process control in industrial environments. According to Siemens, SIMATIC S7-300 and S7-400 PLCs are deployed across several sectors including Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems. Siemens estimates that these products are used worldwide.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

INADEQUATE ENCRYPTION STRENGTH

An attacker with network access to Port 102/TCP (ISO-TSAP) could obtain credentials from the PLC if Protection-level 2 is configured on the affected devices. This vulnerability affects all listed affected products.

CVE-2016-9159 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated with a CVSS vector string of: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

PROTECTION MECHANISM FAILURE

Specially crafted packets sent to Port 80/TCP could cause the affected devices to go into defect mode. A cold restart is required to recover the system. This vulnerability affects all SIMATIC S7-300 PN CPUs, and all SIMATIC S7-400 PN V6 and V7 CPUs.

CVE-2016-9158 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated with a CVSS vector string of: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

Siemens recommends the following mitigations:

  • Deactivate the web server.
  • Apply Protection-level 3 read/write protection.
  • Apply cell protection concept.
  • Apply defense-in-depth strategies.
  • Use VPN for protecting network communication between cells.

Siemens strongly recommends users protect network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN). Siemens also advises that users configure the operational environment according to Siemens’ Operational Guidelines for Industrial Security:

https://www.siemens.com/cert/operational-guidelines-industrial-security

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-731239 at the following location:

http://www.siemens.com/cert/advisories

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

McAfee Releases Security Bulletin for Virus Scan Enterprise

Original release date: December 12, 2016 | Last revised: December 14, 2016

McAfee has released a security bulletin to address multiple vulnerabilities in Virus Scan Enterprise software versions 2.0.3 and earlier. Some of these vulnerabilities could allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review McAfee Security Bulletin SB10181 and CERT/CC Vulnerability Note VU#245327 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Moxa MiiNePort Session Hijack Vulnerabilities

OVERVIEW

Independent researcher Aditya Sood has identified vulnerabilities in Moxa’s MiiNePort. Moxa has produced new firmware editions to mitigate these vulnerabilities.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

Moxa reports that the vulnerabilities affect the following versions of MiiNePort:

  • MiiNePort E1 versions prior to 1.8,
  • MiiNePort E2 versions prior to 1.4, and
  • MiiNePort E3 versions prior to 1.1

IMPACT

An attacker may be able to gain user-level access to the target system by exploiting these vulnerabilities.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, the UK, India, Germany, France, China, Russia, and Brazil.

The affected product, MiiNePort, is a serial device server module. According to Moxa, MiiNePort is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, and Transportation Systems. Moxa estimates that this product is used primarily in the United States and Europe with a small percentage in Asia.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS

An attacker may be able to brute force an active session cookie to be able to download configuration files.

CVE-2016-9344 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

CLEARTEXT STORAGE OF SENSITIVE INFORMATION

Configuration data are stored in a file that is not encrypted.

CVE-2016-9346 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

Moxa has released new firmware editions, which address the identified vulnerabilities in MiiNePort devices. Moxa recommends installing these new firmware editions:

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Sauter NovaWeb Web HMI Authentication Bypass Vulnerability

OVERVIEW

Independent researcher Maxim Rupp has identified an authentication bypass vulnerability in Sauter’s NovaWeb web HMI application. Sauter has not produced a mitigation for this vulnerability. This product was discontinued in 2013 and is no longer supported.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

The following NovaWeb versions are affected:

  • NovaWeb web HMI, all versions.

IMPACT

An attacker can bypass authentication by modifying values in a cookie.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Sauter is a Germany-based company that also maintains an office in Switzerland.

The affected product, novaWeb web HMI, is a web-based HMI system. According to Sauter, novaWeb was deployed in the Commercial Facilities and Critical Manufacturing sectors. Sauter estimates that this product is used primarily in Europe.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

RELIANCE ON COOKIES WITHOUT VALIDATION AND INTEGRITY CHECKING IN A SECURITY DECISION

The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.

CVE-2016-5782 has been assigned to this vulnerability. A CVSS v3 base score of  7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.

MITIGATION

Sauter has not produced a mitigation for this vulnerability. This product was discontinued in 2013 and is no longer supported.

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Adcon Telemetry A850 Telemetry Gateway Base Station Vulnerabilities

OVERVIEW

Independent researcher Aditya K. Sood has identified a cross-site scripting vulnerability in Adcon Telemetry’s A850 Telemetry Gateway Base Station. Adcon Telemetry has produced a new firmware version to mitigate this vulnerability.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

The following A850 Telemetry Gateway Base Station versions are affected:

  • A850 Telemetry Gateway Base Station, all versions.

IMPACT

Successful exploitation of this vulnerability could allow the injection of arbitrary JavaScript that may affect the integrity of the system.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Adcon Telemetry is an Austria-based company that maintains offices in several countries around the world, including the US, Germany, and Austria.

The affected product, A850 Telemetry Gateway Base Station, is a wireless telemetry system. According to Adcon Telemetry, A850 Telemetry Gateway Base Stations are deployed across several sectors including Commercial Facilities, Critical Manufacturing, Water and Wastewater Systems, and others. Adcon Telemetry estimates that this product is used primarily in the United States and Europe.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

CROSS-SITE SCRIPTING

The Web Interface does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output, this could allow for cross-site scripting.

CVE-2016-2274 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.

MITIGATION

Adcon Telemetry has produced a new firmware version to mitigate this vulnerability. Adcon recommends users contact its distributor for information on how to obtain the new firmware version.

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

INTERSCHALT VDR G4e Path Traversal Vulnerability

OVERVIEW

Independent researcher Maxim Rupp has identified a path traversal vulnerability in INTERSCHALT Maritime Systems’s (INTERSCHALT) VDR G4e application. INTERSCHALT has produced a patch to mitigate this vulnerability. Maxim Rupp has tested the patch to validate that it resolves the vulnerability.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

INTERSCHALT reports that the vulnerability affects the following versions of VDR G4e:

  • Versions 5.220 and prior.

IMPACT

Successful exploitation of this vulnerability could allow an attacker to read/download arbitrary files from the target host.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

INTERSCHALT is a German-based company that maintains offices in several countries around the world, including the United States, China, and Germany.

The affected product, VDR G4e, is a maritime voyage data recorder. According to INTERSCHALT, VDR G4e is deployed in the Transportation Systems sector. INTERSCHALT estimates that this product is used primarily in the United States and Europe with a small percentage in Asia.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (“PATH TRAVERSAL”)

External input is used to construct paths to files and directories without properly neutralizing special elements within the pathname that could allow an attacker to read files on the system.

CVE-2016-9339 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.

MITIGATION

INTERSCHALT recommends that affected users update their devices to Version 5.230 as soon as possible.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.