Today CISA’s NCCIC-ICS published five control system
security advisories for products from WAGO, Mitsubishi Electric, Honeywell, and
Delta Electronics (2).

WAGO Advisory

This advisory
describes a deserialization of untrusted data vulnerability in the M&M
Software fdtCONTAINER (M&M is subsidiary of WAGO). The vulnerability was
reported by Emerson. M&M has a new version that mitigates the vulnerability
(but would not be compatible with existing projects). There is no indication
that Emerson has been provided an opportunity to verify the efficacy of the
fix.

NCCIC-ICS reports that a relatively low skilled attacker
could exploit the vulnerability via a social engineering attack to allow malicious
code to be executed without notice.

NCCIC-ICS reports that this vulnerability affects products
from Emerson and PEPPERL+FUCHS.

NOTE: I briefly
discussed
this vulnerability last Saturday, but I was not aware that
M&M was a subsidiary of WAGO.

Mitsubishi Advisory

This advisory
describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELFA
product line. The vulnerability was reported by Qi An Xin Group, Inc. Mitsubishi
has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to cause a denial-of-service
condition.

NOTE: NCCIC-ICS provided an incorrect link for the
Mitsubishi advisory (listed as ‘Mitsubishi Electric website’ in this advisory).
The link should have been https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-019_en.pdf.

Honeywell Advisory

This advisory
describes four vulnerabilities in the Matrikon (a subsidiary of Honeywell) OPC
UA Tunneller. The vulnerability was reported by Uri Katz of Claroty. Matrikon
has a new version that mitigates the vulnerability. There is no indication that
Katz has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow – CVE-2020-27297,

• Out-of-bounds read – CVE-2020-27299,

• Improper check for unusual or
exceptional conditions – CVE-2020-27274, and

• Uncontrolled resource3
consumption – CVE-2020-27295

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to disclose
sensitive information, remotely execute arbitrary code, or crash the device.

TPEditor Advisory

This advisory
describes two vulnerabilities in the Delta TPEditor. The vulnerabilities were
reported by kimiya via the Zero Day Initiative. Delta has a new version that
mitigates the vulnerabilities. There is no indication that kimiya has been provided
an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Untrusted pointer dereference – CVE-2020-27288,
and

• Out-of-bounds write – CVE-2020-27284

NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to allow an
attacker to execute code under the privileges of the application.

ISPSoft Advisory

This advisory
describes a use after free vulnerability in the Delta ISPSoft PLC program
development tool. The vulnerability was reported by Francis Provencher via ZDI.
Delta has a new version that mitigates the vulnerability. There is no indication
that Provencher has been provided an opportunity to verify the efficacy of the
fix.

NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to allow an
attacker to execute code under the privileges of the application.

By admin