CISA
Industry
News
Vulnerabilities

Siemens, Rockwell, Fuji Electric warn of security vulnerabilities that hackers could exploit

January 29, 2021
Fuji Electric

The Cybersecurity and Infrastructure Agency (CISA) revealed this week the existence of five security vulnerabilities in Fuji Electric Tellus Lite V-Simulator and V-Server Lite equipment. The security agency also reported that hackers could exploit the presence of vulnerabilities identified in Rockwell Automation’s FactoryTalk Linx and FactoryTalk Services Platform. These product lines are typically deployed in the critical manufacturing sector, and can be exploited using low levels of skill.

Siemens also warned its users of the presence of telnet authentication vulnerability in SIMATIC HMI Comfort Panels used for operator control and monitoring of machines and plants.

The security vulnerabilities found in Fuji Electric equipment include stack-based buffer overflow, out-of-bounds read, out-of-bounds write, access of uninitialized pointer and heap-based buffer overflow, CISA said in its advisory this week. Security loopholes have been found in Tellus Lite V-Simulator versions prior to v4.0.10.0 and V-Server Lite versions prior to v4.0.10.0.

The Fuji Electric vulnerabilities were reported to CISA by Kimiya, Khangkito – Tran Van Khang of VinCSS (member of Vingroup), and an anonymous researcher, working with Trend Micro’s Zero Day Initiative (ZDI).

Last September, the ZDI published an advisory warning users about the presence of zero-day vulnerabilities in Fuji Electric’s Tellus Lite V-Simulator 5 V8. The ‘file parsing out-of-bounds read remote code execution’ vulnerability enabled remote hackers to execute arbitrary code on affected installations of Fuji Electric Tellus Lite. User interaction is required to exploit the vulnerability in that the target must visit a malicious page or open a malicious file, it added.

CISA also warned users of security vulnerabilities found in Rockwell Automation’s equipment. These vulnerabilities included classic buffer overflow, and improper check or handling of exceptional conditions present on Rockwell’s FactoryTalk Linx software versions 6.20 and prior and FactoryTalkServices Platform versions 6.20 and prior. Tenable reported these vulnerabilities to Rockwell Automation.

A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack where hackers send a specially crafted log file to a local user, reported CISA. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform, resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.

Rockwell recommends that users adopt network-based vulnerability mitigations for embedded products by using proper network infrastructure controls, such as firewalls, to help ensure traffic from unauthorized sources is blocked. The company also guided users to consult the product documentation for specific features, such as a hardware keyswitch setting, which may be used to block unauthorized changes.

Users could also block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

In November, three critical security vulnerabilities were identified in Rockwell Automation’s FactoryTalk Linx, and exploitation of these weaknesses can allow a denial-of-service condition, remote code execution or leak of information that could be used to bypass address space layout randomization (ASLR) within the industrial control systems (ICS).

Siemens faced vulnerabilities in its SIMATIC HMI Panels that could allow a remote hackers to gain full access to the device(s), if the telnet service is enabled, according to a report from Siemens ProductCERT. Affected devices with enabled telnet service do not require authentication for this service, as it could allow a remote attacker to gain full access to the device, according to the German conglomerate. It advised users to disable telnet on the HMI panels if enabled, as by default telnet is disabled.

Last week, Siemens announced that its security researchers discovered and disclosed seven vulnerabilities known as DNSpooq in the DNS component open source software “DNSmasq.” Of these three security vulnerabilities affect the validation of DNS responses, and affect several of Siemens’ SCALANCE and RUGGEDCOM devices.

To mitigate security risks, Siemens advises users to disable both these industrial routers from the DNS proxy in the device configuration, and configure the connected devices in the internal network to use a different DNS server, as the DNS proxy is enabled by default.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape