The Cybersecurity and Infrastructure Agency (CISA) revealed this week the existence of five security vulnerabilities in Fuji Electric Tellus Lite V-Simulator and V-Server Lite equipment. The security agency also reported that hackers could exploit the presence of vulnerabilities identified in Rockwell Automation’s FactoryTalk Linx and FactoryTalk Services Platform. These product lines are typically deployed in the critical manufacturing sector, and can be exploited using low levels of skill.
Siemens also warned its users of the presence of telnet authentication vulnerability in SIMATIC HMI Comfort Panels used for operator control and monitoring of machines and plants.
The security vulnerabilities found in Fuji Electric equipment include stack-based buffer overflow, out-of-bounds read, out-of-bounds write, access of uninitialized pointer and heap-based buffer overflow, CISA said in its advisory this week. Security loopholes have been found in Tellus Lite V-Simulator versions prior to v220.127.116.11 and V-Server Lite versions prior to v18.104.22.168.
The Fuji Electric vulnerabilities were reported to CISA by Kimiya, Khangkito – Tran Van Khang of VinCSS (member of Vingroup), and an anonymous researcher, working with Trend Micro’s Zero Day Initiative (ZDI).
Last September, the ZDI published an advisory warning users about the presence of zero-day vulnerabilities in Fuji Electric’s Tellus Lite V-Simulator 5 V8. The ‘file parsing out-of-bounds read remote code execution’ vulnerability enabled remote hackers to execute arbitrary code on affected installations of Fuji Electric Tellus Lite. User interaction is required to exploit the vulnerability in that the target must visit a malicious page or open a malicious file, it added.
CISA also warned users of security vulnerabilities found in Rockwell Automation’s equipment. These vulnerabilities included classic buffer overflow, and improper check or handling of exceptional conditions present on Rockwell’s FactoryTalk Linx software versions 6.20 and prior and FactoryTalkServices Platform versions 6.20 and prior. Tenable reported these vulnerabilities to Rockwell Automation.
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack where hackers send a specially crafted log file to a local user, reported CISA. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform, resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.
Rockwell recommends that users adopt network-based vulnerability mitigations for embedded products by using proper network infrastructure controls, such as firewalls, to help ensure traffic from unauthorized sources is blocked. The company also guided users to consult the product documentation for specific features, such as a hardware keyswitch setting, which may be used to block unauthorized changes.
Users could also block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.
In November, three critical security vulnerabilities were identified in Rockwell Automation’s FactoryTalk Linx, and exploitation of these weaknesses can allow a denial-of-service condition, remote code execution or leak of information that could be used to bypass address space layout randomization (ASLR) within the industrial control systems (ICS).
Siemens faced vulnerabilities in its SIMATIC HMI Panels that could allow a remote hackers to gain full access to the device(s), if the telnet service is enabled, according to a report from Siemens ProductCERT. Affected devices with enabled telnet service do not require authentication for this service, as it could allow a remote attacker to gain full access to the device, according to the German conglomerate. It advised users to disable telnet on the HMI panels if enabled, as by default telnet is disabled.
Last week, Siemens announced that its security researchers discovered and disclosed seven vulnerabilities known as DNSpooq in the DNS component open source software “DNSmasq.” Of these three security vulnerabilities affect the validation of DNS responses, and affect several of Siemens’ SCALANCE and RUGGEDCOM devices.
To mitigate security risks, Siemens advises users to disable both these industrial routers from the DNS proxy in the device configuration, and configure the connected devices in the internal network to use a different DNS server, as the DNS proxy is enabled by default.