GE Bently Nevada 3500/22M

GE Bently Nevada 3500/22M Improper Authorization Vulnerability

CVE-2016-5788

3500

GE has identified an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system. GE has produced a new firmware version to mitigate this vulnerability in the USB version of the GE Bently Nevada 3500/22M monitoring system.

This vulnerability could be exploited remotely.

AFFECTED PRODUCT

The following GE Bently Nevada 3500/22M firmware versions are affected:

  • GE Bently Nevada 3500/22M (USB version), all versions prior to firmware Version 5.0, and
  • GE Bently Nevada 3500/22M (serial version), all versions.

IMPACT

Successful exploitation of the identified vulnerability may allow a remote attacker to gain unauthorized access to the affected device with elevated privileges.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

GE Bently Nevada is a wholly owned subsidiary of GE, a US-based company that maintains offices in several countries around the world.

The affected product, GE Bently Nevada 3500/22M, is a vibration monitoring system. According to GE, the GE Bently Nevada 3500/22M is deployed across several sectors including Chemical and Energy. GE estimates that these products are used worldwide.

IMPROPER AUTHORIZATION

Several open ports have been identified on the affected device, which allow unauthorized access to the device with elevated privileges.

EXPLOITABILITY

This vulnerability could be exploited remotely.

MITIGATION

GE has released a new firmware version for the GE Bently Nevada 3500/22M TDI USB monitoring system, Version 5.0. GE’s new firmware can only be applied to the USB version of the GE Bently Nevada 3500/22M monitoring system. Users registered with a GE Bently Nevada Technical Support Agreement can download Version 5.0 and access GE’s Technical Information Letter (TIL-149700250)

http://www.bntechsupport.com

American Auto-Matrix Front-End Solutions Vulnerability

American Auto-Matrix Front-End Solutions Vulnerability

CVE-2016-2307

aspectft

A local file inclusion and plain text storage of password vulnerabilities exists in American Auto-Matrix’s Building Automation Front-End Solutions application. The Aspect-Matrix hardware platform was made end of life in 2015 and will no longer receive further updates.

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

The following Building Automation Front-End Solutions versions are affected:

  • Aspect-Nexus Building Automation Front-End Solutions application versions prior to 3.0.0
  • Aspect-Matrix Building Automation Front-End Solutions application all versions.

IMPACT

User logins and passwords presented in plain text provide an attacker authenticated credentials to all aspects of the system.

BACKGROUND

According to American Auto-Matrix, Building Automation Front‑End Solutions application is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater systems, and others. American Auto-Matrix estimates that this product is used primarily in the United States.

LOCAL FILE INCLUSION

Without authorization, the attacker can read files on the host, including the configuration file.

PLAIN TEXT STORAGE OF A PASSWORD

In a file that is accessible without authentication, passwords are presented in plain text.

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

MITIGATION

American Auto-Matrix recommends the following steps:

Download the zip file located at Dealer Toolbox (http://www.aamatrix.com/aspect-new-features(link is external)) under Product Support>Software Updates. Then:

  • Unzip the attached file
  • Install the .aam file through the WebUI under [System Administration > System Updates]

Users will then need to reboot the unit in order complete the upgrade process.

Siemens SCALANCE M-800 Web Vulnerability

Siemens SCALANCE

M-800/S615 Web Vulnerability

CVE-2016-7090

800/S615

Exploitation of this vulnerability could allow an attacker in a privileged network position to obtain web session cookies under certain circumstances.

SENSITIVE COOKIE IN HTTPS SESSION WITHOUT “SECURE” ATTRIBUTE

The integrated web server delivers session cookies without the “secure” flag. Modern browsers interpreting the flag would mitigate potential data leakage in case of clear text transmission.

EXPLOITABILITY

This vulnerability could be exploited remotely.

MITIGATION

Siemens provides firmware version V4.2 for SCALANCE M-800/S615 to mitigate this vulnerability. The firmware version can be obtained here:

https://support.industry.siemens.com/cs/ww/en/view/109740858

Moxa Active OPC Server CVE-2016-5793

Moxa Active OPC Server Unquoted Service Path Escalation Vulnerability CVE-2016-5793

opc

AFFECTED PRODUCTS

Moxa reports that the vulnerability affects the following product:

  • Active OPC Server versions older than Version 2.4.19

The affected product, Active OPC Server, is a software package that operates as an OPC driver for an HMI or SCADA system. According to Moxa, Active OPC Server is deployed across several sectors including Commercial Facilities,

UNQUOTED SERVICE PATH

This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path.

MITIGATION

Moxa recommends replacing existing Active OPC Server installations with the new software MX-AOPC UA server. Active OPC Server is nearing end of life by the end of 2016, and no further updates will be issued.

For existing Active OPC installations, Moxa suggests upgrading to Active OPC Server Version 2.4.19. http://www.moxa.com/support

Yokogawa STARDOM CVE-2016-4860

Yokogawa STARDOM Authentication Bypass Vulnerability  CVE-2016-4860

yoka89

IMPACT

Yokogawa and JPCERT/CCa  authentication bypass vulnerability in the Yokogawa STARDOM controller. An attacker may be able to exploit this vulnerability to execute commands such as stop application program, change values, and modify application.

AFFECTED PRODUCTS

Yokogawa reports that the vulnerability affects the following products:

  • STARDOM FCN/FCJ controller (from Version R1.01 to R4.01).

AUTHENTICATION BYPASS ISSUES

Logic Designer can connect to STARDOM controller without authentication.

MITIGATION

Yokogawa has remediated the vulnerability with the latest release R4.02. The following link leads to Yokogawa’s STARDOM web site:

http://stardom.biz

Siemens SIPROTEC 4 CVE-2016-7112

Siemens SIPROTEC 4 and SIPROTEC Compact Vulnerabilities CVE-2016-7112

7sj64

AFFECTED PRODUCTS

Siemens reports that these vulnerabilities affect the following products:

  • EN100 Ethernet module (as optional for SIPROTEC 4 and SIPROTEC Compact): All versions prior to V4.29

Resource Exhaustion: Specially crafted packets sent to Port 80/TCP could cause the affected device to go into defect mode.

Authentication Bypass: Attackers with network access to the device’s web interface (Port 80/TCP) could possibly circumvent authentication and perform administrative operations. A legitimate user must be logged into the web interface for the attack to be successful.

MITIGATION

Siemens provides firmware update V4.29 for EN100 modules included in SIPROTEC 4 and SIPROTEC Compact devices to fix the vulnerabilities. Siemens recommends users update to the latest firmware version.

The firmware update for SIPROTEC 4 can be obtained from the SIPROTEC 4 downloads area:

http://www.siemens.com/downloads/siprotec-4

Rockwell Automation MicroLogix 1400

Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability

CVE-2016-5645

Micrologix1400

An undocumented and privileged Simple Network Management Protocol (SNMP) community string exists in MicroLogix 1400 programmable logic controllers (PLC). Rockwell Automation has released mitigation strategies to protect against this threat.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

Rockwell Automation reports that the vulnerability affects all versions of the following products:

  • 1766-L32BWA
  • 1766-L32AWA
  • 1766-L32BXB
  • 1766-L32BWAA
  • 1766-L32AWAA
  • 1766-L32BXBA

IMPACT

This vulnerability may allow an attacker to make unauthorized changes to the product’s configuration, including firmware updates.

BACKGROUND

Rockwell Automation, which is a US-based company, provides industrial automation control and information products worldwide across a wide range of industries.

The MicroLogix are PLCs. According to Rockwell Automation, these products are deployed across several sectors, including Chemical, Critical Manufacturing, Food and Agriculture, Water and Wastewater Systems, and others.

EXECUTION WITH UNNECESSARY PRIVILEGES

The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product.

 

EXPLOITABILITY

This vulnerability could be exploited remotely.

MITIGATION

Due to the nature of this product’s firmware update process, this capability cannot be removed from the product. Instead, mitigations are offered to reduce risk of this capability being used by a malicious actor.

Rockwell Automation recommends that users using affected versions of the MicroLogix 1400 evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously.

  • Utilize the product’s “RUN” keyswitch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See KB496391d for more information on blocking access to SNMP services.
  • Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 product manuale for detailed instructions on enabling and disabling SNMP.
    • Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
    • Note: Changing the SNMP community strings is not an effective mitigation.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Siemens SINEMA

Siemens SINEMA Server Privilege Escalation Vulnerability

CVE-2016-6486

sinema_server_v13_638x393

IMPROPER ACCESS CONTROL

The file permissions set for the SINEMA Server application folder could allow users, authenticated via the operating system, to escalate their privileges.

AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following products:

  • SINEMA Server: All versions.

MITIGATION

Siemens has a temporary fix for existing installations.

https://w3.siemens.com/aspa_app/

Siemens SINEMA Remote Connect

Siemens SINEMA Remote Connect Server Cross-site Scripting Vulnerability

CVE-2016-6204 

109479599

A cross-site scripting (XSS) vulnerability in the Siemens SINEMA Remote Connect Server application. Siemens has produced an update to mitigate this vulnerability.

AFFECTED PRODUCTS

The following SINEMA Remote Connect Server versions are affected:

  • SINEMA Remote Connect Server, all versions prior to Version 1.2

IMPACT

Exploiting this vulnerability could enable attackers to read some files from Siemens SINEMA Remote Connect Server devices. This could enable a remote attacker ongoing access to these devices.

BACKGROUND

The affected product, SINEMA Remote Connect Server, is a network management appliance for industrial applications and allows network monitoring as well as diagnostics and reporting functions integrated into SCADA systems such as WinCC

VULNERABILITY

The integrated web server (Port 443/TCP) of the affected SINEMA Remote Connect Server could allow XSS attacks if unsuspecting users are tricked into accessing a malicious link.

EXPLOITABILITY

This vulnerability could be exploited remotely.

MITIGATION

Siemens provides software update V1.2 for SINEMA Remote Connect Server which fixes the vulnerability and recommends users update to the new version. The software update for SINEMA Remote Connect Server can be obtained at:

https://support.industry.siemens.com/cs/ww/en/view/109737963

Siemens SIMATIC WinCC CVE-2016-5743

Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities

siemens_hmi_bangladesh

Specially crafted packets sent to SIMATIC WinCC or WinCC Runtime Professional could allow remote code execution for unauthenticated users.

AFFECTED PRODUCTS

Siemens reports that the vulnerabilities affect the following products:
  • SIMATIC WinCC:
    • V7.0 SP 2 and earlier versionss,
    • V7.0 SP 3: All versions,
    • V7.2: All versions prior to 7.2 Update 13,
    • V7.3: All versions prior to 7.3 Update 10, and
    • V7.4: All versions prior to 7.4 Update 1
  • SIMATIC PCS 7 (WinCC, Batch, Route Control, OPEN PCS 7):
    • V7.1 SP4 and earlier versions,
    • V8.0: All versions,
    • V8.1: All versions prior to 8.1 SP1 with WinCC V7.3 Update 10, and
    • V8.2: All versions prior to 8.2 with WinCC V7.4 Update 1
  • SIMATIC WinCC Runtime Professional: All versions prior to V13 SP 1 Update 9.

MITIGATION

Siemens has produced updates for the following products and strongly encourages users to upgrade to the new versions as soon as possible: