AusCERT - Security Bulletins

Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 14 perc 45 másodperc
ESB-2022.1718 - [Appliance] Delta Electronics DMARS: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1718
Advisory (icsa-22-104-01) Delta Electronics DMARS
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Delta Electronics DMARS
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1331
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-01
Comment: CVSS (Max): 5.5 CVE-2022-1331 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-01)
Delta Electronics DMARS
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.5
o ATTENTION: Low attack complexity
o Vendor: Delta Electronics
o Equipment: DMARS
o Vulnerability: Improper Restriction of XML External Entity Reference
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain
sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of DMARS, a Motion Controller program development tool,
are affected:
o DMARS: All versions prior to v2.1.10.24
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
In four instances the affected product does not properly restrict references of
XML external entities while processing specific project files, which may allow
unauthorized information disclosure.
CVE-2022-1331 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER
Kimiya, working with Trend Micro's Zero Day Initiative, reported this
vulnerability to CISA.
4. MITIGATIONS
Delta Electronics recommends users update to the latest version. Users can
obtain the update by contacting Delta Electronics' corresponding FAE (Field
Application Engineer) or solution center.
Delta Electronics also recommends the following:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet.
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o Never connect programming software to any network other than the network
intended for that device.
o When remote access is required, use secure methods, such as virtual private
networks (VPNs), recognizing a VPN is only as secure as its connected
devices.
CISA recommends users take the following measures to protect themselves from
social engineering attacks:
o Only use project files from trusted sources.
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability. This
vulnerability is not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZreNLKJtyKPYoAQjiWA/7BLCqo3uIS8pk4t/qF4v8l35g+tBPlVT5
19HgfHxXxSsfu0K6yuX4knb5Mg8zAK8xNYisw8IknIJS9KHksA2PtcoM3ENVPgT5
lI9XEVf9U/Nx0SIoKieBT1GO4N6QlTNLKgcf9iJEFvTOIDhZMC+bRZlhfChB5qxQ
swLRH5VNLzjphrcw33YTnvqRxQQqHvFLZb1zsRRKGX3vMsKnDJ3mMqzZBntVyKU6
CR0bz2I7vSmNSRbBiSou5No5/o7tiThKa6l+Zpt8s9SYR+1hPXXvCua7S2F/Kdtf
s4ReCWV9Sphv90mCs2q7aK0M3k5U3hNPIPUAo/Y4Wst4qpyAVa/8bzLvVHnlehB3
Ui+2a8aV8v8y+77F0DtxkxRyI2T6OXGpAt0cFK7lGsuxZYeVS15HKLJTBSUzXBY4
OgfmX5NAi2U4kd8F9m9ZE7eoNJEIgaJHKwhwnBGGsvu8PJMywrzNMIZPjJK8FgdU
IHz/SkgPRN1q1gEjEviyPvLJyQg0uraHKIYhx6UVfKlqRFap7jyd6Ere45jElu9x
N3tmGCnS+utkZ0/XYrZkC8TSxELRe2hr2d6C7F1Sbnus7rHD9s9tbgpoVyhoEbyR
9e7W6cwHjtBh2pCFR87D9IgaOM6iIfWi2/AKQjTFnBDAzbc3K4RohrdhxcLVFmlc
CCqSxJ7d84s=
=KzWk
-----END PGP SIGNATURE-----
ESB-2022.1717 - [Appliance] Johnson Controls Metasys: CVSS (Max): 8.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1717
Advisory (icsa-22-104-02) Johnson Controls Metasys
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Johnson Controls Metasys
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-36205
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-02
Comment: CVSS (Max): 8.1 CVE-2021-36205 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-02)
Johnson Controls Metasys
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.1
o ATTENTION: Exploitable remotely
o Vendor: Johnson Controls Inc.
o Equipment: Metasys ADS/ADX/OAS Servers
o Vulnerability: Incomplete Cleanup
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to
use a session token that has not been cleared upon log out of an authenticated
user.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Johnson Controls reports this vulnerability affects the following Metasys ADS/
ADX/OAS servers for building management systems:
o All Metasys ADS/ADX/OAS Servers: Versions 10 and 11
3.2 VULNERABILITY OVERVIEW
3.2.1 INCOMPLETE CLEANUP CWE-459
Under certain circumstances the session token is not cleared upon log out.
CVE-2021-36205 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Ireland
3.4 RESEARCHER
Johnson Controls, Inc. reported this vulnerability to CISA.
4. MITIGATIONS
Johnson Controls recommends users update the following:
o Update all Metasys ADS/ADX/OAS Servers: Versions 10 with patch 10.1.5
o Update all Metasys ADS/ADX/OAS Servers: Versions 11 with patch 11.0.2
For more detailed mitigation instructions, please see Johnson Controls Product
Security Advisory JCI-PSA-2022-06 v1
Johnson Controls recommends taking steps to minimize risks to all building
automation systems.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability. This
vulnerability has a high attack complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZnuNLKJtyKPYoAQghRxAAjZpf1f3eehJkXyE6ad1FwpPxIT51t0eF
jMkEUvbEkrD0SHB8Eq4+wMSgdA/5xtTjhpASOTs36CKaOlJgvQ6oaeWt9HakzsZX
VcpRRL/ftQ3OKt67CBNhZ/OTrGoHzT3KH8Mwe8RrGeX2Hh/55e0dIIMQyU8kZq4S
yfmhdtaaDQEEsr93NcGk8Q2nYAOOyaN85l9df2QMAXLuGmCsPdMB3vskSZIt4tgX
8qtsjR7olGEAHZdXjp1azO9w1xaOQQ16io3+Irac8ZHei+iKpPJpv+8vyTKczAWd
/6m7cFYLBj2pV6quT09FxJ0rjbWzcgWU0fKvU6TQDFGB2ztIeE6vpbGZNOOe7DVZ
IHiZQ2BrpYb/34GRHlPL0MsUS+fyy7k9LjZwN4p41iTXZ0w2+daxc18aXzhF/opY
lsUd6BHtuzBzGogLJ/9/G8Utw44HGcKv37JhJw93UV3kblp44rKFjWmCyfPrdM3L
n5FAl7s0FLlA5VzcEl8WhtOsJZNiV3bVl8yjBUkVXcfmpNCpo9VKBrJQPCdHxj3D
L9IS8cQOUebnnH6OGtwgfTMROx+k8Bx2cjx+O+nT8MsuoiB/Lgb5/e9Z+t6YcbQS
RyaONBwOYBKO+pqzG6GIBEnabZVXEh1xJ2+EdEEEpt7JlXC6PiWXEmzoT7KLZ9Wd
wlwwtmAGbL4=
=Xc5D
-----END PGP SIGNATURE-----
ESB-2022.1716 - [Appliance] Red Lion DA50N: CVSS (Max): 9.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1716
Advisory (icsa-22-104-03) Red Lion DA50N
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Lion DA50N
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2022-27179 CVE-2022-26516 CVE-2022-1039
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-03
Comment: CVSS (Max): 9.6 CVE-2022-1039 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-03)
Red Lion DA50N
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.6
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Red Lion
o Equipment: DA50N
o Vulnerabilities: Insufficient Verification of Data Authenticity, Weak
Password Requirements, Use of Unmaintained Third-Party Components,
Insufficiently Protected Credentials
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in data
compromise, data modification, and a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Red Lion DA50N, a networking gateway, are affected:
o DA50N: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
Authorized users may install a maliciously modified package file when updating
the device via the web user interface. The user may inadvertently use a package
file obtained from an unauthorized source or a file that was compromised
between download and deployment.
CVE-2022-26516 has been assigned to this vulnerability. A CVSS v3 base score of
8.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:R/S:C/
C:H/I:H/A:H ).
3.2.2 WEAK PASSWORD REQUIREMENTS CWE-521
The weak password on the web user interface can be exploited via HTTP or HTTPS.
Once such access has been obtained, the other passwords can be changed. The
weak password on Linux accounts can be accessed via SSH or Telnet, the former
of which is by default enabled on trusted interfaces. While the SSH service
does not support root login, a user logging in using either of the other Linux
accounts may elevate to root access using the su command if they have access to
the associated password.
CVE-2022-1039 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:H/I:H/A:H ).
3.2.3 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104
This product relies on an outdated, unmaintained Linux kernel v4.9.119 that
contains multiple vulnerabilities that may impact security.
3.2.4 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
A malicious actor having access to the exported configuration file may obtain
the stored credentials and thereby gain access to the protected resource. If
the same passwords were used for other resources, further such assets may be
compromised.
CVE-2022-27179 has been assigned to this vulnerability. A CVSS v3 base score of
4.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:U/
C:L/I:L/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Ron Brash of aDolus Technology Inc. reported these vulnerabilities to CISA.
4. MITIGATIONS
Red Lion notes the DA50N series product is at end-of-life and does not intend
to release a software update to address these vulnerabilities. Users are
encouraged to apply workarounds and mitigations or upgrade their device to
DA50A and DA70A.
Red Lion has provided the following workarounds to help mitigate the risk of
these vulnerabilities:
o Do not install image files that are obtained from sources other than the
official Red Lion website.
o When downloading images from Red Lion's website, ensure the validity of the
server's TLS certificate.
o If package files or images are to be stored before deployment, ensure they
are stored in a secure manner.
o Minimize the risk of unauthorized installation via SD card by limiting
physical access to the device.
o Ensure the default UI password is changed to one meeting standard security
practices.
o Change the admin, rlcuser and techsup account passwords from their default
values.
o Disable the SSH service and keep the telnet service disabled if they are
not required.
o Do not re-use the same password for securing multiple resources.
o Limit access to configuration files that contain valuable credentials.
o Ensure the use of secure credentials when configuring optional services.
o Enable only the minimum set of optional services required for the
application.
For additional information, refer to Red Lion's security alert .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZkuNLKJtyKPYoAQihRw//YXeFA8o3kSnzJfDLZuV9nIhhiYTH3kFj
AoXMTUXMrxMaxFz3hAktH5KM8gce/Ft2NXQi2aJBxldsmUmm5bT1W6CukukBajYV
rT0VvLzyKAef64lS208Vo732GTaj6H295Hh8kUUaoJAwUwbgaYX+pi6/OZbKY4lh
LJuTzqkTvaBew09KoWiLawNlTV+HpgNa5TjZUgfeSSXpRU3Tu54QaowC0jOp/+nn
Vevo3MJ/i+h1TBy3HkP+xRW7jBQOAErUTwDlspqL9ZfeTezppVWiJnabWpTeZ0f9
5Dyq7LbF5ZMONhIopYTQ4H7DmTj6rEd3SyQhBejB003dIJLMMhFXXUEKGiVdyMmR
cdD85RBEGxanKBWD1MqA/VdKuKqiHGbSGpb/OEGqWpqQJVfIuey6l/AJCLLaqS70
OHnhz6hYmlp+XCqr7/M3/oZ8mHf+fvk0KDEDwEhizkpoUCWfWWI5q61jibFP1YWU
iXyqZqFK5Q4xYIk1gTTOD02s9RdittSsWcJmIOnpbmxQpVWCT54lcMzLHo0/m4Hi
SplrlU1BfW8ij4cXNX5FEMYepZckHAeCFXrYH1Vk9R4InXFNW1mPX1RI+Bv7Wstx
5CYPhIKwek8oXVa4Aq/6u7Pc7t9LENGVgNqDHG42J3D47Y+QNDTYVeZD79I+hpW9
8juCqDiCdpg=
=I1Ux
-----END PGP SIGNATURE-----
ESB-2022.1715 - [Appliance] Siemens SCALANCE FragAttacks: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1715
Advisory (icsa-22-104-04) Siemens SCALANCE FragAttacks
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SCALANCE FragAttacks
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26147 CVE-2020-26146 CVE-2020-26145
CVE-2020-26144 CVE-2020-26143 CVE-2020-26141
CVE-2020-26140 CVE-2020-26139 CVE-2020-24588
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04
Comment: CVSS (Max): 6.5 CVE-2020-26140 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-04)
Siemens SCALANCE FragAttacks
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.5
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SCALANCE family devices
o Vulnerabilities: Improper Authentication, Injection, Improper Validation of
Integrity Check, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker within
Wi-Fi range to forge encrypted frames, which could result in sensitive data
disclosure and traffic manipulation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
o SCALANCE W721-1 RJ45: All versions
o SCALANCE W722-1 RJ45: All versions
o SCALANCE W734-1 RJ45: All versions
o SCALANCE W738-1 M12: All versions
o SCALANCE W748-1 M12: All versions
o SCALANCE W738-1 RJ45: All versions
o SCALANCE W761-1 RJ45: All versions
o SCALANCE W774-1 M12 EEC: All versions
o SCALANCE W774-1 RJ45: All versions
o SCALANCE W778-1 M12 EEC: All versions
o SCALANCE W786-1 RJ45: All versions
o SCALANCE W786-2 RJ45: All versions
o SCALANCE W786-2 SFP: All versions
o SCALANCE W786-2IA RJ45: All versions
o SCALANCE W788-1 M12: All versions
o SCALANCE W788-1 RJ45: All versions
o SCALANCE W788-2 M12: All versions
o SCALANCE W788-1 M12 EEC: All versions
o SCALANCE W788-2 RJ45: All versions
o SCALANCE W1748-1 M12: All versions prior to v3.0.0
o SCALANCE W1750D M12: All versions prior to v8.7.1.3
o SCALANCE W1788-1 M12: All versions prior to v3.0.0
o SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0
o SCALANCE W1788-2 M12: All versions prior to v3.0.0
o SCALANCE W1788-2IA M12: All versions prior to v3.0.0
o SCALANCE WAM766-1: All versions
o SCALANCE WAM766-1 EEC: All versions
o SCALANCE WUM763-1: All versions
o SCALANCE WUM766-1: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3)
and Wired Equivalent Privacy (WEP) doesn't require the A-MSDU flag in the
plaintext QoS header field to be authenticated. Against devices that support
receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an
adversary can abuse this to inject arbitrary network packets.
CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/
I:L/A:N ).
3.2.2 IMPROPER AUTHENTICATION CWE-287
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP)
forwards EAPOL frames to other clients even though the sender has not yet
successfully authenticated to the AP. This might be abused in projected Wi-Fi
networks to launch denial-of-service attacks against connected clients and
makes it easier to exploit other vulnerabilities in connected clients.
CVE-2020-26139 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/
I:N/A:H ).
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H.
The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a
protected Wi-Fi network. An adversary can abuse this to inject arbitrary data
frames independent of the network configuration.
CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.4 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H.
The Wi-Fi implementation does not verify the Message Integrity Check
(authenticity) of fragmented TKIP frames. An adversary can abuse this to inject
and decrypt packets in WPA or WPA2 networks that support the TKIP
data-confidentiality protocol.
CVE-2020-26141 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.5 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for
AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented
plaintext frames in a protected Wi-Fi network. An adversary can abuse this to
inject arbitrary data frames independent of the network configuration.
CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.6 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA,
WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the
first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for
EAPOL. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration.
CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA,
WPA2, and WPA3 implementations accept second (or subsequent) broadcast
fragments even when sent in plaintext and process them as full unfragmented
frames. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration.
CVE-2020-26145 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.8 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA,
WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet
numbers. An adversary can abuse this to exfiltrate selected fragments. This
vulnerability is exploitable when another device sends fragmented frames and
the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is
vulnerable to this attack by design.
CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.9 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3
implementations reassemble fragments even though some of them were sent in
plaintext. This vulnerability can be abused to inject packets and/or exfiltrate
selected fragments when another device sends fragmented frames and the WEP,
CCMP, or GCMP data-confidentiality protocol is used.
CVE-2020-26147 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/
I:H/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends updating their software to the latest version where
available:
o SCALANCE W1748-1 M12: Update to v3.0.0 or later
o SCALANCE W1750D M12: Update to v8.7.1.3 or later
o SCALANCE W1788-1 M12: Update to v3.0.0 or later
o SCALANCE W1788-2 EEC M12: Update to v3.0.0 or later
o SCALANCE W1788-2 M12: Update to v3.0.0 or later
o SCALANCE W1788-2IA M12: Update to v3.0.0 or later
o SCALANCE WAM766-1: Update to v1.2 or later
o SCALANCE WAM766-1 EEC: Update to v1.2 or later
o SCALANCE WUM763-1: Update to v1.2 or later
o SCALANCE WUM766-1: Update to v1.2 or later
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o As these vulnerabilities can only be exploited within Wi-Fi range, when
possible reduce Wi-Fi transmission power or make sure to have the devices
in private areas with physical access controls
o When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and
CVE-2020-26144
For more details regarding the FragAttacks vulnerabilities refer to:
o Fragment and Forge Breaking Wi-Fi Through Frame Aggregation and
Fragmentation
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends users configure the
environment according to the Siemens operational guidelines for industrial
security and follow the recommendations in the product manuals.
For additional information, please refer to Siemens Security Advisory
SSA-913875
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZguNLKJtyKPYoAQigWw/+Peivv5zbvGY5M1jhHDTW2cbOuSb9xGiZ
3OItKzD2aoFb/REKgdgldY9Mupk/s3wZ+kGT8wbFPQEkDmNhsSfXPRuO217TKfcC
CDngb+/hl9Dw/Yo9L74C51g0nOI4EgnlYh0ahCFsDG5KceuVLt2viZ7mqU9SUKLQ
R0jSaNCHJuqbWv2zLJ4K43R4HJCwC4smX1ENp0b8O2gL66jrC5TjICw7eFU0s7rV
gfrNjk12ETMmXmmULDmNz8qo68+yQdxHt2uDWEKrsZ129c6lZxWsNFO1IkYYDg6Z
jy2JSWmgwLxWtmhVXAeklhM/YuCXzNNNjZKRcKdagS9b1A5vrFrQfL9rEvujJkpq
DKkGtmhnqCdrDUuz/z/l/5jpF5KQhZezB37IEb007OBXndTZCvyATRGKTTN7uTo2
8sRd+EYAqpcMlo13yO17jiL6ZYSxn1aBz8WYfjtbi2cgIz4ZXb63cRMkhXSjCn9Y
SOiAQPk1D10JVgQEAES9EMlXwu0mrnfwuOPJlHVvqN15l5lK+/pQP1n3Iblo+Iaz
jV/vV0KEk1ny85sjxXBBdgWElJz47BbdShwHHts9Hz4D5ed4NwjpUEXlf1ApQaTh
5EsSnMjotNq9soQBXHDmcQqcbxnY56TUZ1iYWTqMNS3e/R2OgTwSk4rBX8ziw0hT
Ompnn5g4sA4=
=q94g
-----END PGP SIGNATURE-----
ESB-2022.1714 - [Appliance] Siemens OpenSSL Vulnerabilities in Industrial Products: CVSS (Max): 5.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1714
Advisory (icsa-22-104-05) Siemens OpenSSL Vulnerabilities in
Industrial Products
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens OpenSSL Vulnerabilities in Industrial Products
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3449
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-05
Comment: CVSS (Max): 5.9 CVE-2021-3449 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-05)
Siemens OpenSSL Vulnerabilities in Industrial Products
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.9
o ATTENTION: Exploitable remotely/high attack complexity
o Vendor: Siemens
o Equipment: Siemens Industrial Products
o Vulnerability: NULL Pointer Dereference
2. RISK EVALUATION
Successful exploitation of this vulnerability may allow an unauthenticated
attacker to cause a denial-of-service condition if a maliciously crafted
renegotiation message is sent.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports this vulnerability affects the following products:
o RUGGEDCOM CROSSBOW Station Access Controller: All versions since and
including v5.2.0 only when running on ROX v2.14.0
o RUGGEDCOM RCM1224: Versions 6.2 through 7.1
o SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions prior to v1.1
o SCALANCE M804PB (6GK5804-0AP00-2AA2): Versions 6.2 through 7.1
o SCALANCE M812-1 ADSL-Router (Annex A) (6GK5812-1AA00-2AA2): Versions 6.2
through 7.1
o SCALANCE M812-1 ADSL-Router (Annex B) (6GK5812-1BA00-2AA2): Versions 6.2
through 7.1
o SCALANCE M816-1 ADSL-Router (Annex A) (6GK5816-1AA00-2AA2): Versions 6.2
through 7.1
o SCALANCE M816-1 ADSL-Router (Annex B) (6GK5816-1BA00-2AA2): Versions 6.2
through 7.11
o SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2): Versions 6.2 through 7.1
o SCALANCE M874-2 (6GK5874-2AA00-2AA2): Versions 6.2 through 7.1
o SCALANCE M874-3 (6GK5874-3AA00-2AA2): Versions 6.2 through 7.1SCALANCE
M876-3 (6GK5876-3AA02-2BA2): Versions 6.2 through 7.1SCALANCE M876-3 (ROK)
(6GK5876-3AA02-2EA2): Versions 6.2 through 7.1SCALANCE M876-4 (EU)
(6GK5876-4AA00-2BA2): Versions 6.2 through 7.1SCALANCE M876-4 (NAM)
(6GK5876-4AA00-2DA2): Versions 6.2 through 7.1
o SCALANCE S602: All versions since and including v4.1
o SCALANCE S612: All versions since and including v4.1
o SCALANCE S615 (6GK5615-0AA00-2AA2): Versions 6.2 through 7.1
o SCALANCE S623: All versions since and including v4.1
o SCALANCE S627-2M: All versions since and including v4.1
o SCALANCE SC622-2C (6GK5622-2GS00-2AC2): Versions 2.0 through 2.1.4
o SCALANCE SC632-2C (6GK5632-2GS00-2AC2): Versions 2.0 through 2.1.4
o SCALANCE SC636-2C (6GK5636-2GS00-2AC2): Versions 2.0 through 2.1.4
o SCALANCE SC642-2C (6GK5642-2GS00-2AC2): Versions 2.0 through 2.1.4
o SCALANCE SC646-2C (6GK5646-2GS00-2AC2): Versions 2.0 through 2.1.4SCALANCE
W1748-1 M12 (6GK5748-1GY01-0AA0): Versions 2.0 through 3.0
o SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0): Versions 2.0 through 3.0
o SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0): Versions 2.0 through 3.0
o SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0): Versions 2.0 through 3.0
o SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0): Versions 2.0 through 3.0
o SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0): Versions 2.0 through 3.0
o SCALANCE W-700 IEEE 802.11n family: All versions since and including v6.5
o SCALANCE XB-200: All versions prior to v4.3
o SCALANCE XC-200: All versions prior to v4.3
o SCALANCE XF-200BA: All versions prior to v4.3
o SCALANCE XM-400: All versions prior to v6.4
o SCALANCE XP-200: All versions prior to v4.3
o SCALANCE XR-300WG: All versions prior to v4.3
o SCALANCE XR-500 Family: All versions prior to v6.4
o SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Versions 1.1 through 1.6
o SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Versions 1.1 through 1.6
o SIMATIC CP 1242-7 GPRS V2 (6GK7242-7KX31-0XE0): Versions 3.1 through 3.3
o SIMATIC CP 1243-1 (incl. SIPLUS variants): All versions since and including
v3.1
o SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0): Versions 3.1 through 3.3
o SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0): Versions 3.1 through 3.3
o SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): All versions since and
including v3.1
o SIMATIC CP 1542SP-1 IRC (incl. SIPLUS variants): All versions since and
including v2.1
o SIMATIC CP 1543-1 (6GK7543-1AX00-0XE0): Versions 2.2 through 3.0
o SIMATIC CP 1543SP-1 (incl. SIPLUS variants): All versions since and
including v2.1
o SIMATIC CP 1545-1 (6GK7545-1GX00-0XE0): All versions since and including
v1.0
o SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): All
versions prior to V17.0 Upd 2
o SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): All versions
prior to V17.0 Upd 2
o SIMATIC HMI KTP Mobile Panels: All versions prior to v17.0 Upd 2
o SIMATIC Logon: Versions 1.6 Upd 2 through 1.6 Upd 5
o SIMATIC MV540 H (6GF3540-0GE10): All versions prior to v3.1
o SIMATIC MV540 S (6GF3540-0CD10): All versions prior to v3.1
o SIMATIC MV550 H (6GF3550-0GE10): All versions prior to v3.1
o SIMATIC MV550 S (6GF3550-0CD10): All versions prior to v3.1
o SIMATIC MV560 U (6GF3560-0LE10): All versions prior to v3.1
o SIMATIC MV560 X (6GF3560-0HE10): All versions prior to v3.1
o SIMATIC PCS 7 TeleControl: All versions
o SIMATIC PCS neo: All versions prior to v3.1
o SIMATIC PDM: Versions 9.1 Upd 7 through 9.2 SP 1
o SIMATIC Process Historian OPC UA Server: All versions 2019 through 2020 Upd
1
o SIMATIC RF166C: All versions
o SIMATIC RF185C: All versions
o SIMATIC RF186C: All versions
o SIMATIC RF186CI: All versions
o SIMATIC RF188C: All versions
o SIMATIC RF188CI: All versions
o SIMATIC RF360R: All versions
o SIMATIC RF600R family: All versions prior to v4.0
o SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All versions prior to
v4.5.2
o SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0,
6AG1518-4AX00-4AC0, incl. SIPLUS variant): All versions prior to v2.9.3
o SIMATIC WinCC Runtime Advanced: All versions prior to v17 Update 1
o SIMATIC WinCC TeleControl: All versions
o SINAMICS Connect 300: All versions
o SINEC NMS: Versions 1.0 SP1 through 1.0 SP2
o SINEMA Server: Versions 14 through 14 SP3
o SINUMERIK OPC UA Server: All versions prior to v3.1 SP1
o SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0): Versions 2.2 through 3.0
o SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): Versions 2.0 through 2.2
o TIA Administrator: All versions prior to v1.0 SP4
o TIM 1531 IRC (6GK7543-1MX00-0XE0): Versions 2.0 through 2.2
3.2 VULNERABILITY OVERVIEW
3.2.1 NULL POINTER DEREFERENCE CWE-476
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension, where it was present in the initial
ClientHello, but includes a signature_algorithms_cert extension, then a NULL
pointer dereference will occur, leading to a crash and a denial-of-service
condition.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled, which
is the default configuration. OpenSSL TLS clients are not impacted by this
issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by
this issue. This vulnerability is fixed in OpenSSL 1.1.1k.
CVE-2021-3449 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated. the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:N/I:N/A:H )
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has released updates for several affected products and recommends
updating to the latest versions available. Siemens is preparing further updates
and recommends countermeasures for products where updates are not, or not yet
available. Please see Siemens SSA-772220 to determine if there is an update
available.
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security , and to
follow the recommendations in the product manuals. Additional information on
Industrial Security by Siemens can be found at: https://www.siemens.com/
industrialsecurity
For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact Siemens .
Additional Reference: SSA-772220 (PDF)
Additional Reference: SSA-772220 (TXT)
Additional Reference: SSA-772220 (CSAF)
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZceNLKJtyKPYoAQh/hg/+JYijf7fuy9LdJHt+P5QT33e7XlBEonyU
jg6tq+lDDGmZjAQqEopHiID5Yl4xlCdxj4uX3dILQvGXzYMNNIrZgn5SaNoaduZP
RqsRDdo/Bwh+MmkNzY73ES2W1T8dp0LcJG4LFQb2SDDnKO2n/VWZ53IKiA7KZjTQ
Eu/hqfW8bl32ZK+jL5tf9iNtGXWw+lS55QgoQBow102NzPoIgAZGuqazMXKXP6nm
rGKW0RTRIEQOUBg6MYo0sEHjCfkEOQZlrO4E53+wODVemh3i84Ogm3HGZYf0qNau
UA8QIGmKUIW1xw2UoP55/GedZQMwbWUFzSaWWh7ptmH6kw98Fj0C+tiZG2cM9apu
O5Mx5df3epT3bhSwUkeEBPSMrjHR84zyr49HIReTB1j004N422DcvzjZ3YO0E+Fg
whVJXWvVn7yFWPJ1zJWrSLqKHihOk3LLN/2zjLuikfVaYN+U0+KQEWrAHilQeBfT
RxWm013Iz9sky2PJIdZvNIB6FeojDBs+uzkBcbuepNTRAVscrS5/w+Mavt3blV8u
S0ikq7Ine4KNf+K1onyi/r/0IQtqJKyMYe6hFApxidyTuAb/1MRqTWqArlmdG9uH
Ch6049oIxT2PQSqMEqFDm/1qfpTToWVyr/rG/txQ8rufGMa84lh5hei8ZkZoU9Q6
ABbo9DT+R/U=
=ueqU
-----END PGP SIGNATURE-----
ESB-2022.1713 - [Appliance] Siemens PROFINET Stack Integrated on Interniche Stack: CVSS (Max): 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1713
Advisory (icsa-22-104-06) Siemens PROFINET Stack Integrated
on Interniche Stack
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens PROFINET Stack Integrated on Interniche Stack
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25622
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-06
Comment: CVSS (Max): 5.3 CVE-2022-25622 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-06)
Siemens PROFINET Stack Integrated on Interniche Stack
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.3
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: PROFINET Stack Integrated on Interniche Stack
o Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a denial-of-service
condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products are affected:
o SIMATIC CFU DIQ (6ES7655-5PX31-1XX0): All versions
o SIMATIC CFU PA (6ES7655-5PX11-0XX0): All versions
o SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants):
All versions
o SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants): All versions prior
to v6.0.10
o SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants): All versions
o SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants): All versions
o SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants): All versions
o SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants):
All versions prior to v2.0.0
o SIMATIC TDC CP51M1: All versions
o SIMATIC TDC CPU555: All versions
o SIMATIC WinAC RTX: All versions
o SIMIT Simulation Platform: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
The PROFINET (PNIO) stack, when integrated with the Interniche IP stack,
improperly handles internal resources for TCP segments where the minimum
TCP-Header length is less than defined. This could allow an attacker to create
a denial-of-service condition for TCP services on affected devices by sending
specially crafted TCP segments.
CVE-2022-25622 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens recommends the following workarounds and mitigations users can apply to
reduce risk:
o SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants): Update to v6.0.10
or later version.
o SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants):
Update to v2.0.0 or later version.
o Limit access to Port 102/TCP to trusted users and systems only.
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and to
follow the recommendations in the product manuals. Additional information on
industrial security by Siemens can be found at: https://www.siemens.com/
industrialsecurity
For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert
/advisories
For additional information, please refer to Siemens Security Advisory
SSA-446448 - PDF Version, SSA-446448 - TXT Version, or SSA-446448 - CSAF
Version.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZYONLKJtyKPYoAQg/6BAAo7ldIfzhCb6YXLPxYFgsZz7kcZAVqL3Q
uVUpZyGULlZCfCQyJVoWAObvBM8mmCeulWL4zQBnTEWIBrw48RyoOG/TBLtR5Sst
qBRjZHx2CH9DXFvHK2tcgipvsgjtmHAKMmBO+Pek1Kiw2B28Sb9rdjoVQx5Tntg9
ZbunZ4vUcChaDOsNaXhecXza4u9aDzQVGUuutCXBSm3+jAqDAxcaCPCNTiGBpBa/
7h64KiPpdW9TzpW/YUrmMTW+PCORlPlBIaovGS4/2RxJbTEIi+mNc9H9qJB6/7Dw
YfTZPVCABCrtWQvbo0IPFTfu73gP8ietkhI3G/oyHron3Gs9O2Q3F6s2OUPxBJY2
rQ8JsSk+NW3G0h9VvtPUPZDYLrh9bFfUJhPIuKXiEk8Os4IXJesB3VPdHdFobBwU
Ao8kh18ZS3bX0Re50sgnGAh0m9bBE8MyAhbl6HwyotF6AMkILZEAncjdLYFsu/2C
uOTdcEHfFVEblkHJ00CyXEodZr5K+XjZBHQ+4ftp8TvHu+9f7mDPtmVF9qn9uI/v
ZSOEF4tkgDjb566uhH1hE2cUqvYdW98EYLEWVnJg3ZFqdRSsKifBz0DhanLivlz6
J0mlFlCbjXXTnZmi5XCs8RYNzgCO2enwzqP5qqdqx2iAv1Tfoc0tKqMBJjWlEHmW
0H2nWeUGP2U=
=YoFL
-----END PGP SIGNATURE-----
ESB-2022.1712 - [Appliance] Siemens Mendix: CVSS (Max): 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1712
Advisory (icsa-22-104-07) Siemens Mendix
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens Mendix
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-27241
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-07
Comment: CVSS (Max): 5.3 CVE-2022-27241 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-07)
Siemens Mendix
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.3
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: Mendix
o Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated
remote attacker to read sensitive data.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mendix, a software platform to build mobile and web
applications, are affected:
o Mendix applications using Mendix 7: All versions
o Mendix applications using Mendix 8: All versions
o Mendix applications using Mendix 9: All versions prior to 9.11
3.2 VULNERABILITY OVERVIEW
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
Applications built with an affected system publicly expose the internal project
structure. This could allow an unauthenticated remote attacker to read
confidential information.
CVE-2022-27241 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has provided the following specific workarounds and mitigations:
o Mendix Applications using Mendix 7: No fix currently planned
o Mendix Applications using Mendix 8: No fix currently planned
o Mendix Applications using Mendix9: Update to Version 9.11 or later
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security , and to
follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
For more information on this vulnerability and more detailed mitigation
instructions, please see Siemens Security Advisory SSA-414513
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZUeNLKJtyKPYoAQj0cA//XTHEr1ewrEE34onJH5YEqwq9J45fxyFy
CPVX+etNKx8hun9vHgSnYxSBz49zFliZJwM183ozeokcrbbA/tVAcgykluVarGPA
uZJtaFjx76OFttk4rWei0Pe7sNp65Ie+K8BiuPo6fymkhsLNIGJ6YY9HDtbOmGo7
tT+X37jRlcJhHyJ7VGgJOHs09c2NTnMSPy1fyjSbLRM++QIaskXzSYs7W3l9iHnu
WO21jR7kPT+DIk4Zf5l+yF98+SDDx1+Bu5TQSLgF8jgdxBSEyGGE2bVUbF3nFcF4
YInpYdEG9cfWPt260gG2DKSz9PCLChHnTrUpqhbkWCSbqvpv6roJsa1SbW2SPxYF
unqIvVgf47x4c7hUW3LRIOjX9eHC2v8dVdI7wVFSkeJrJtFffKn/XtZXUBIl1mww
lrlFqGGCzeEPzIWDNYeUw1IWv8Br5R8YMFZdG3o6gM63lN6UuKA4bpZM0DvI12Y/
DrQ/kAAPOzbpytwyU8cS3aXzGdjDmosY6H0WvAW9fCC6x+W0IG24NfvkQrlVTNIz
twUgqJuZBrdXV3WcCvSXEznpXlvs5bPVZYrvPJbQFKfWG8Xp7sUXrNZyiwodvJqe
2BsYiaaoIJIdAvxY8fdHzJOu5YUF0c/dDxcoT6KAGucU2HPnul//wCjOrwzg6Ltm
qBx1IeSp9yw=
=jx7q
-----END PGP SIGNATURE-----
ESB-2022.1711 - [Appliance] Siemens SCALANCE W1700: CVSS (Max): 7.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1711
Advisory (icsa-22-104-08) Siemens SCALANCE W1700
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SCALANCE W1700
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28329 CVE-2022-28328 CVE-2022-27481
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-08
Comment: CVSS (Max): 7.4 CVE-2022-27481 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-08)
Siemens SCALANCE W1700
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.4
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SCALANCE W1700
o Vulnerabilities: Race Condition, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
cause various denial-of-service conditions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SCALANCE, a wireless communication device, are
affected:
o SCLANCE W1788-1 M12: All versions prior to 3.0.0
o SCALANCE W1788-2 ECC M12: All versions prior to 3.0.0
o SCALANCE W1788-2 M12: All versions prior to 3.0.0
o SCALANCE W1788-2IA M12: All versions prior to 3.0.0
3.2 VULNERABILITY OVERVIEW
3.2.1 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION
('RACE CONDITION') CWE-362
The affected product does not properly handle resources of ARP requests. This
could allow an attacker to cause a race condition that leads to a crash of the
entire device.
CVE-2022-27481 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:N/
I:N/A:H) .
3.2.2 IMPROPER INPUT VALIDATION CWE-20
The affected product does not properly handle malformed Multicast LLC frames.
This could allow an attacker to trigger a denial-of-service condition.
CVE-2022-28328 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:N/
I:N/A:H ).
3.2.3 IMPROPER INPUT VALIDATION CWE-20
The affected product does not properly handle malformed TCP packets received
over the RemoteCapture feature. This could allow an attacker to lead to a
denial-of-service condition, which only affects the port used by the
RemoteCapture feature.
CVE-2022-28329 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends installing the following software updates to address these
vulnerabilities.
o Update SCALANCE W1788-1 M12 to Version 3.0.0 or later
o Update SCALANCE W1788-2 EEC M12 to Version 3.0.0 or later
o Update SCALANCE W1788-2 M12 to Version 3.0.0 or later
o Update SCALANCE W1788-2IA M12 to Version 3.0.0 or later
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. To operate the devices in a
protected IT environment, Siemens recommends configuring the environment
according to Siemens' operational guidelines for industrial security and to
follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
For additional information, please refer to Siemens Security Advisory
SSA-392912
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZH+NLKJtyKPYoAQjrMxAAg8yIeU/0gxsjVsbdKontLtRAhuZ1ypid
xdZ9m2T3ZjAHN8WIpAlGe1oeVjnuR9paHZJbE3n4i+1ncW/Xf+QF1BXDMcnMCOPr
uE/vjNmGn9dMPBFRdofUCu8Z7JE1jlYsjTfBGgLo6K797AkXdJf2yzv2QuM6ADIP
TRwENSiljo+vTW8NM5Z3kUyqO4mbsQvDPB29JlGG3UjQB2Ovnkmw0pNUfHnuCQqC
AxNfJpo2mx30Kanp3tyM2TLLw3Kg/u3R3WXvYErXtYAjoXmCoyJjuR7lvNOBTIh4
X+IjjzdPDIX3vuAKApmQddaVPnr+4rwuWavbnTCkpMS5rb/322hUyij2UElIYy7Q
UcvirzSje488c0BZkvX9LDb/QRl40rciUUhbsDLS1Da+ZHuih69R5IGdjPsVMok+
k9uxBC7fuN+zvSKGFRkeWscWRmybiR0MxvaGgPV9Q8H4doQkM2GR6HKiuTZVSBdg
r7XXT9jGhELisAY3KhuYggDZZPhrcgA0R/1AUuiGQwMeSqDAPzx8pgsGQSVvN2K5
ShLU8ZYkN2m2bc4D5m0asDd0/Q6M3cdnNmd4pgnUyBMkJd43rYRKyv85BR4ZP/e+
IFz40aDvXqaytG8BV8dZ1/qAR0aEixmzXbEAatx11s58z4tGRvNNcnQBoU68q1qN
0K+hN0cTlLM=
=D5ep
-----END PGP SIGNATURE-----
ESB-2022.1710 - [Appliance] Siemens SCALANCE X-300 Switches: CVSS (Max): 9.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1710
Advisory (icsa-22-104-09) Siemens SCALANCE X-300 Switches
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SCALANCE X-300 Switches
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26380 CVE-2022-26335 CVE-2022-26334
CVE-2022-25756 CVE-2022-25755 CVE-2022-25754
CVE-2022-25753 CVE-2022-25752 CVE-2022-25751
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-09
Comment: CVSS (Max): 9.6 CVE-2022-26335 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-09)
Siemens SCALANCE X-300 Switches
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.6
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SCALANCE X-300 switch family devices
o Vulnerabilities: Improper Input Validation, Use of Insufficiently Random
Values, Stack-based Buffer Overflow, Cross-site Request Forgery, Improper
Access Control, Basic XSS, Classic Buffer Overflow, Out-of-bounds Read
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated
attacker to reboot, cause denial-of-service conditions, and impact the system
by other means through buffer overflow vulnerabilities.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
o SCALANCE X302-7 EEC: All versions prior to v4.1.4
o SCALANCE X304-2FE: All versions prior to v4.1.4
o SCALANCE X306-1LD FE: All versions prior to v4.1.4
o SCALANCE X307-2 EEC: All versions prior to v4.1.4
o SCALANCE X307-3: All versions prior to v4.1.4
o SCALANCE X307-3LD: All versions prior to v4.1.4
o SCALANCE X308-2: All versions prior to v4.1.4
o SCALANCE X308-2LD: All versions prior to v4.1.4
o SCALANCE X308-2LH: All versions prior to v4.1.4
o SCALANCE X308-2LH+: All versions prior to v4.1.4
o SCALANCE X308-2M: All versions prior to v4.1.4
o SCALANCE X308-2M POE: All versions prior to v4.1.4
o SCALANCE X308-2M TS: All versions prior to v4.1.4
o SCALANCE X310: All versions prior to v4.1.4
o SCALANCE X310FE: All versions prior to v4.1.4
o SCALANCE X320-1 FE: All versions prior to v4.1.4
o SCALANCE X320-1-2LD FE: All versions prior to v4.1.4
o SCALANCE X408-2: All versions prior to v4.1.4
o SCALANCE XR324-4M EEC: All versions prior to v4.1.4
o SCALANCE XR324-4M PoE: All versions prior to v4.1.4
o SCALANCE XR324-4M PoE TS: All versions prior to v4.1.4
o SCALANCE XR324-12M: All versions prior to v4.1.4
o SCALANCE XR324-12M TS: All versions prior to v4.1.4
o SIPLUS NET SCALANCE X308-2: All versions prior to v4.1.4
o Smart Security Manager: Versions 1.5 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER INPUT VALIDATION CWE-20
Affected devices do not properly validate the HTTP headers of incoming
requests. This could allow an unauthenticated remote attacker to crash affected
devices.
CVE-2022-25751 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:L/
I:N/A:H ).
3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
The webserver of affected devices calculates session ids and nonces in an
insecure manner. This could allow an unauthenticated remote attacker to
brute-force session ids and hijack existing sessions.
CVE-2022-25752 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/C:H/
I:H/A:H ).
3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121
The handling of arguments such as IP addresses in the CLI of affected devices
is prone to buffer overflows. This could allow an authenticated remote attacker
to execute arbitrary code on the device.
CVE-2022-25753 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:L/UI:N/S:U/C:H/
I:H/A:H ).
3.2.4 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The integrated web server of the affected device could allow remote attackers
to perform actions with the permissions of a victim user, provided the victim
user has an active session and is induced to trigger the malicious request.
CVE-2022-25754 has been assigned to this vulnerability. A CVSS v3 base score of
7.3 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/
I:H/A:H ).
3.2.5 IMPROPER ACCESS CONTROL CWE-284
The webserver of an affected device is missing specific security headers. This
could allow a remote attacker to extract confidential session information under
certain circumstances.
CVE-2022-25755 has been assigned to this vulnerability. A CVSS v3 base score of
2.6 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/
I:N/A:N ).
3.2.6 IMPROPER NEUTRALIZATION OF SCRIPT-RELATED HTML TAGS IN A WEB PAGE (BASIC
XSS) CWE-80
The integrated web server could allow Cross-Site Scripting (XSS) attacks if
unsuspecting users are tricked into accessing a malicious link. This can be
used by an attacker to trigger a malicious request on the affected device.
CVE-2022-25756 has been assigned to this vulnerability. A CVSS v3 base score of
7.9 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:C/C:H/
I:H/A:H ).
3.2.7 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
Affected devices do not properly validate the GET parameter XNo of incoming
HTTP requests. This could allow an unauthenticated remote attacker to crash
affected devices.
CVE-2022-26334 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:C/C:L/
I:L/A:H ).
3.2.8 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW')
CWE-120
Affected devices do not properly validate the URI of incoming HTTP GET
requests. This could allow an unauthenticated remote attacker to crash affected
devices.
CVE-2022-26335 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:H/
I:H/A:H ).
3.2.9 OUT-OF-BOUNDS READ CWE-125
Affected devices do not properly validate if a certain SNMP key exists. An
attacker could use this to trigger a reboot of an affected device by requesting
specific SNMP information from the device.
CVE-2022-26380 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:N/
I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Michael Messner and Abian Blome of Siemens Energy coordinated the disclosure of
CVE-2022-25751 and CVE-2022-25756 to CISA.
4. MITIGATIONS
Siemens recommends upgrading all X-300 switch family devices to v4.1.4 or
later.
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o Restrict access to the affected systems, especially to Ports 22/TCP, 161/
UDP, and 443/TCP and use trusted IP addresses only.
o Disable SNMP service, if possible.
o Deactivate the webserver if not required, and if deactivation is supported
by the product.
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends users configure the
environment according to the Siemens operational guidelines for industrial
security and follow the recommendations in the product manuals.
For additional information, please refer to Siemens Security Advisory
SSA-836527
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZEeNLKJtyKPYoAQh2CQ/+IlzooB7Vzsv5/2K10N/7KrGrDTxzt/hc
JLYvLANGfc0bIPQnD+9yUPiQLrTRV79TkPxG5vfZvHajqHv+eyfVsTOhUDL2P1SW
bWKbNrF1QpVUI+RZJm2QPnlhy7GTeEJQkcbxQRpC0tTdmfs19B1EBN0gtmAGWVV9
6rW1U2aES7fRvK5XEK5ZWZeT8WsZ3TMkqUaSCVM7dUuUlWWbUyISW+1oRv1p+aGQ
xq6sIXgPrsJFPcqj70fAUJWse2uK4U9j4qkg/ePMvWDBMchshySO1nJlI/XvMnai
rWCy+T7Z9B43mvPXCaYogErekR9G91muU0WsT7kfgX3A53ewUQHzJA+DqZX0YN0B
iQ/HwZoxo+qblUXNr/uQBaH/4Xt9UzQGuCZj0PrfwOhxV+i2BwOCA5+j2qcGtGx5
n+dj5zjExOLnQaO9TxHp6z2ShydYq1z9VK4IB0i508gnZ23QybAoDWc2A311frwN
KSUpWJ++uTDKLbqAAP8exkakbL+eTuA3RXJNHRL1AZtUoPhtXREEWspm08Kk0sKj
SjR+sTvzht31kWz+RgXs1PP02lo/8P3X/24X6wr5bcKVqfjXk3m3DUW9V4lTjBv/
xkbkpq9TRZRvynjB7KrJpmN8lxWy9TbUDArtcrBYLIhU2BLLJsPhjqZN/r4UD5ue
4c2od5dmtLE=
=CVa2
-----END PGP SIGNATURE-----
ESB-2022.1709 - [Appliance] Siemens SICAM A8000: CVSS (Max): 5.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1709
Advisory (icsa-22-104-10) Siemens SICAM A8000
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SICAM A8000
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-27480
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-10
Comment: CVSS (Max): 5.3 CVE-2022-27480 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-10)
Siemens SICAM A8000
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.3
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SICAM A8000
o Vulnerability: Missing Authentication for Critical Function
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access
files without authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
o SICAM A8000 CP-8031: All versions prior to v4.80
o SICAM A8000 CP-8050: All versions prior to v4.80
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
Affected devices do not require a user to be authenticated to access certain
files. This could allow an unauthenticated attacker to download these files.
CVE-2022-27480 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/
I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Steffen Robertz, Gerhard Hechenberger, and Thomas Weber of SEC Consult
Vulnerability Lab reported this vulnerability to Siemens.
4. MITIGATIONS
Siemens recommends updating the SICAM A8000 devices to v4.80 or later.
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends users configure the
environment according to the Siemens operational guidelines for industrial
security and follow the recommendations in the product manuals.
For additional information, please refer to Siemens Security Advisory
SSA-316850
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZAONLKJtyKPYoAQhBPw//cucynoB+pdtMffNiPJxPY4fbPUEFViZz
hMrttl/yHj+qWtzoHYort/nUWRlEjIemrFf0EOLyDavKeEJa1yu3CplVKfy10yGg
A8ugw0meWJSD/Sju6Inri4z+v16euxck/nO9GYBmMbQgEKHGKL7e+1RrG5xSJ6xt
GiOite1pl09ifWi81GY+wQ6A7coGcmqO+llbyk/TpEnsnUAZICdOTgnWJOeP6OO7
d7XS6H33W1mPBBKwdW6K0cR1ZdC3S5OBXZNau05ugHt5Dv3RdXrj/iR3dU5Sq1DD
b0/D/gvAJmvQcchlpi9FPIDqKYhka3pcvaDopWxX0VM+LCWsB9d0qKFTx+E8L/X7
I4YdtkE3mj4TZQiaYKOK0q6UjZMqsxD85MEci/Lw6LmTIKO6P1yiFVm6Md+NE2/Y
sTkeV1I7l6rdxYLvb21VjEVTYlqB83VW2FdwmI85HMIX//9k+cWcupdJi7LpRZ10
Y30TSKXwU6qCgWUoj1TYpAOS3zFRZPMC4CVQcaei2NQ+FS0oMRkqdVkOuuozCHLD
HIk17z6ePlXJTjDucOSN24Z5g2ayH1DI9vsQaoR3dGlK3fYGXFkpcdfQq3uvBgtb
BcLCmU7A0x0Z8GBFU9LHmFEKyoIjy+0K1/59DOABP2BGWq2jkE1cQTjj3D0uKoF9
szO2CtCcVIU=
=8atC
-----END PGP SIGNATURE-----
ESB-2022.1708 - [Appliance] Interlogix Hills ComNav: CVSS (Max): 6.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1708
Advisory (icsa-22-109-01) Interlogix Hills ComNav
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Interlogix Hills ComNav
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26519 CVE-2022-1318
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-109-01
Comment: CVSS (Max): 6.2 CVE-2022-1318 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-109-01)
Interlogix Hills ComNav
Original release date: April 19, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.2
o ATTENTION: Low attack complexity
o Vendor: Interlogix is a part of Carrier Global Corporation
o Equipment: Hills ComNav
o Vulnerabilities: Improper Restriction of Excessive Authentication Attempts,
Inadequate Encryption Strength
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to log
in to modify the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Carrier reports these vulnerabilities affect the following Hills ComNav remote
access integration modules:
o Hills ComNav: versions prior to 3002-19
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307
There is no limit to the number of attempts to authenticate for the local
configuration pages for the Hills ComNav Version 3002-19 interface, which
allows local attackers to brute-force credentials.
CVE-2022-26519 has been assigned to this vulnerability. A CVSS v3 base score of
5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:N/A:N ).
3.2.2 INADEQUATE ENCRYPTION STRENGTH CWE-326
Hills ComNav Version 3002-19 suffers from a weak communication channel. Traffic
across the local network for the configuration pages can be viewed by a
malicious actor. The size of certain communications packets is predictable.
These issues could allow an attacker to learn the state of the system if they
can observe the traffic. This would be possible even if the traffic was
encrypted (e.g., using WPA2, as the packet sizes would remain observable).
CVE-2022-1318 has been assigned to this vulnerability. A CVSS v3 base score of
6.2 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
o COUNTRIES/AREAS DEPLOYED: Australia
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Jacob Thompson of Flinders University, Dr. Paul Gardner-Stephen of Flinders
University and DEWC Systems, and Dr. Samuel Chenoweth of Defence Science and
Technology Group reported these vulnerabilities to Carrier.
4. MITIGATIONS
Carrier recommends users upgrade to Version 4000-12 or later, which is the
latest supported version at the time of this publication. Please contact the
Hills
distributor to acquire the firmware update.
More information on this issue can be found in Carrier product security
advisory CARR-PSA-002-1121 .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+Y9eNLKJtyKPYoAQjjpg//eC66A901tunUWtRgzGXNgCQouP1Iiw0o
9y/QvvZIfsNM73znD+41zWdxPsfnHt+ntF3NMbD09GoA8alm9DhGE8+uR1vQZ99G
SbgdKmT1dmJjYPtVD3vsDUNDxi4YZd6FTI2kfWtLuJDHzAYPQ00OIOkProEPJ0Kj
ZvTjm0/naOCIj3IL+ES86DUg4mrfDoKQHeho7KjW09+nGz+bMTys3hjvuI46eiLa
oF3efTKW2MuP/sn1SHNCqcqYkr+CqPE0mxnbZ6YTfb0CRjl/BBSuQWycqdqEoVJn
IN0BtvsadT3hdwbNU4eYHY1z9F6FQ/U562yRyEq2sadwToihfXZT+S9u2sFkVhtJ
gcHR9xzXdpbO8kK/UWp+eVWj1s4sUcdU03VynLlMeatQCIgbYcdJunX+Sgc94k5l
dD/UvurECue6l+/CfHPlHIRbIYUHC8RPlLBA3XjnLw0/lijWMesgNaS6wwKxZNN4
tU7oKVX5cuwnDBga6mB5dJmWp9Pc181dy3qb5B+CYBqDzOgNnqaAhV/QdrddSrkr
goIGW4bzlt7hk6HWIgVrQWZfe71O6tvljdUaQ9BRBLihgTDHB45zaNpJLfVB8G46
/1YwqWaEDlohmAGr5WFKPlpzQ8cdBV2AC3JImueM4XqRPGAT5h5k4Zd2ZqMizAQu
HzD3ndNB9Y4=
=ubjt
-----END PGP SIGNATURE-----
ESB-2022.1707 - [Appliance] Automated Logic WebCTRL: CVSS (Max): 5.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1707
Automated Logic WebCTRL
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Automated Logic WebCTRL
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1019
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-109-02
Comment: CVSS (Max): 5.2 CVE-2022-1019 (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-109-02)
Automated Logic WebCTRL
Original release date: April 19, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 5.2
o ATTENTION: Low attack complexity/exploitable remotely
o Vendor: Automated Logic is a part of Carrier Global Corporation
o Equipment: WebCtrl Server
o Vulnerability: Open Redirect
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to
redirect the user to a malicious webpage or to download a malicious file.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Carrier reports this vulnerability affects the following Automated Logic
WebCtrl Server building automation software products:
o WebCtrl Server: All versions up to 7.0
3.2 VULNERABILITY OVERVIEW
3.2.1 OPEN REDIRECT CWE-601
WebCtrl Version 6.1 "Help" index pages are vulnerable to open redirection. If a
user visits a maliciously crafted URL, this vulnerability could allow an
attacker to redirect a user to a malicious webpage or download a malicious
file.
CVE-2022-1019 has been assigned to this vulnerability. A CVSS v3 base score of
5.2 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:C/
C:L/I:L/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Chizuru Toyama of TXOne IoT/ICS Security Research Labs, working with Trend
Micro's Zero Day Initiative, reported this vulnerability to CISA.
4. MITIGATIONS
Carrier recommends users contact an Automated Logic dealer for instructions to
download the latest version of WebCTRL.
Carrier also recommends the following manual workaround:
o An administrator can add the CSP header/meta tag to each "index.htm" file
in each of the directories under "/webroot/_common/lvl5/help/
*"
o Example would read:
Please see Carrier product security advisory CARR-PSA-001-1121 for more
information.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should take the
following measures to protect themselves from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+Y5ONLKJtyKPYoAQhglA//VnuVyLaoAE8S1fuFYU1ZV/JgwZD0/nby
xY0FsReY4Ah4Zyi9jtD+csN3G1uwLuK6I81hJeb5YbZkSqSNo1BgdSTXFzlhrqlx
2Yjysh/ryeEGvZ7CVr868gcOzRRIdOLTXsybQJvxbpETll3kW60ClgCu6NA5VBZd
/TwvLs9f0Fex+Wg81Dp3THldC6AZniTnGH4/+iMtPvNjNmLYGdPPQsWKhG1tpvit
Ili/4CzKUS4qw77mSVxHRSPkxyoIpTYpMny2+aywrDxczrpAgxwZ4UBOwUa7GeKC
y+DtgMC+VIEfAnO6szciLCz4Orrlk/96XXPkTGxznPjDtFC35wFn6nvAhyuQHn8U
sx6+WTiBkMPbTG1Bb9g4Lj2I0OhrAOXmd3tpRKNhzZfwXtk5ONr4YZA8OpFxz5qV
M1IvUJL3ROmaTOZa0FkfjQ7YU6Yb+poDds3YiDq0x5SHJm/5ScFufrCOWglcQu9U
dE3YWx4GlEabCR/79Iiq70IVU7lwfR7Jw7t2+SIdV2XIK8KHc9iqk9TZj4g0ceUU
Uq4tLdqKEs+g6WBFj0vK1xBHHYE7YDhU6VfTR1MHxoMK01O+VpjIEhrGeLQhVDQW
DJzs9DhVKy7Ok+ATRGXcLumXZnIzf1Pmxm+HQw8bfe3MkREzGAunMRf++z5G5Mbu
SuX2anHiKAw=
=v/Ok
-----END PGP SIGNATURE-----
ESB-2022.1706 - [Appliance] FANUC ROBOGUIDE Simulation Platform: CVSS (Max): 6.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1706
Advisory (icsa-22-109-03) FANUC ROBOGUIDE Simulation Platform
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FANUC ROBOGUIDE Simulation Platform
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-43990 CVE-2021-43988 CVE-2021-43986
CVE-2021-43933 CVE-2021-38483
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-109-03
Comment: CVSS (Max): 6.1 CVE-2021-43988 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-109-03)
FANUC ROBOGUIDE Simulation Platform
Original release date: April 19, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.1
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: FANUC Corporation / FANUC America Corporation
o Equipment: ROBOGUIDE
o Vulnerabilities: Incorrect Permission Assignment for Critical Resource,
Improper Access Control, Path Traversal, Improper Restriction of XML
External Entity Reference, Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a
denial-of-service condition, allow for remote code execution, or provide
unauthorized privilege escalation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ROBOGUIDE, a simulation platform software suite for
FANUC Robots, are affected:
o ROBOGUIDE v9.40083.00.05 (Rev T) and earlier
Note: This offline simulation software program does not provide any control or
management of physical devices or processes. It is included because it is used
in Industrial Control Systems (ICS).
3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
The affected product is vulnerable to misconfigured binaries, allowing users on
the target PC with SYSTEM level privileges access to overwrite the binary and
modify files to gain privilege escalation.
CVE-2021-38483 has been assigned to this vulnerability. A CVSS v3 base score of
6.0 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:L/UI:R/S:U/
C:N/I:H/A:H ).
3.2.2 IMPROPER ACCESS CONTROL CWE-284
The setup program for the affected product configures its files and folders
with full access, which may allow unauthorized users permission to replace
original binaries and achieve privilege escalation.
CVE-2021-43986 has been assigned to this vulnerability. A CVSS v3 base score of
6.0 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:L/UI:R/S:U/
C:N/I:H/A:H ).
3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE 22
The affected product is vulnerable to a network-based attack by threat actors
utilizing crafted naming conventions of files to gain unauthorized access
rights.
CVE-2021-43988 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:N/I:N/A:H ).
3.2.4 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
The affected product is vulnerable to a network-based attack by threat actors
supplying a crafted, malicious XML payload designed to trigger an external
entity reference call.
CVE-2021-43990 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:N/I:N/A:H ).
3.2.5 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
The affected product is vulnerable to a network-based attack by threat actors
sending unimpeded requests to the receiving server, which could cause a
denial-of-service condition due to lack of heap memory resources.
CVE-2021-43933 has been assigned to this vulnerability. A CVSS v3 base score of
6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Japan, United States
3.4 RESEARCHER
Sharon Brizinov with Claroty reported these vulnerabilities to CISA.
4. MITIGATIONS
FANUC has created a new version to address these vulnerabilities. Users may
obtain and install the new version by downloading ROBOGUIDE v9 Rev U or higher
from the FANUC or FANUC America website (login required).
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+Y2eNLKJtyKPYoAQiRSg//aDxOHcqzh8PqQShumsv4rp5+/YZZeQbF
owfS53zIJkxY3H5vrU89pf3zSeclZyJdTBl8ALIaxctADNqdryxPBohV93E0h+Yu
ZmyLXiEVS8ga7MrUqysGzCNweAOODQruGb4F8NRwkpTeVodjM9FbsPp8EeEgpdhM
1bswv+iIbGylyzSJS5xx5nBq14GDhajSwJ/Y33KQfearnHWruxYranGEZvhcamE/
IlPPDo6i9Sk+sDt9lcf16yBCiw736hAEhKBfxcXypTpYW2FX1prXicxN/cM4VS/v
KZPYq5Ol29QyHJTSqcAlwR6Ye8ohh6g6ax8Tp3nyuwiNaoxo5veNiIItOFB6EZeG
PFoR5d13DGLx5yO2HPIzdLNukp8bi5wGVOhFpGlw/oRCpix6VE+8wj/HfLcRxvqT
cGeYuObKlvMNax0z/MEqet958g9eKmGadLHQ+I6Mb3G9Aib2BDSY2j85WWwbJZ1X
O6A+vSAkmPAzTgYuj+Imvd5SkKhCUBJQ+oJ9mV9tM3zQhE9hIfn4yUVFF+Ys6dRD
+RPRGemIp7yTVTor0SMajxyyVMfyef6G8jYfg03I9bIPjDk9zcWAIGhrN9w0/OJ8
NVxDttS5NNXjQ9wiqeao8uwDsAP8nKZPi7x9kcOdkEAc397oxJLHjYEe+jHuGVLY
Q+wkZCsbc10=
=dRck
-----END PGP SIGNATURE-----
ESB-2022.1705 - [Appliance] Elcomplus SmartPPT SCADA: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1705
Advisory (icsa-22-109-04) Elcomplus SmartPPT SCADA
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Elcomplus SmartPPT SCADA
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-43939 CVE-2021-43934 CVE-2021-43932
CVE-2021-43930
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04
Comment: CVSS (Max): 9.8 CVE-2021-43934 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-109-04)
Elcomplus SmartPPT SCADA
Original release date: April 19, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor: Elcomplus
o Equipment: SmartPPT
o Vulnerabilities: Path Traversal, Unrestricted Upload of File with Dangerous
Type, Improper Authorization, Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could provide attackers a way
to traverse the file system to access files or directories that are outside of
the restricted directory; allow the upload or transfer files of dangerous types
that can be automatically processed within the product's environment; allow an
unauthorized access to an action or a resource; or allow a user to store
dangerous data in a trusted database.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of SmartPPT SCADA, an integrated voice and data dispatch
software, is affected:
o SmartPPT SCADA v1.1
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE
SCRIPTING') CWE-79
An attacker can inject JavaScript code into a specific parameter that can
executed upon accessing the dashboard or the main page.
CVE-2021-43932 has been assigned to this vulnerability. A CVSS v3 base score of
9.0 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:C/
C:H/I:H/A:H ).
3.2.2 IMPROPER AUTHORIZATION CWE-285
A low-authenticated user can access higher level administration authorization
by issuing requests directly to the desired endpoints.
CVE-2021-43939 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:C/
C:H/I:H/A:H ).
3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
The backup and restore system does not adequately validate upload requests,
enabling a malicious user to potentially upload arbitrary files.
CVE-2021-43934 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
The backup and restore system does not adequately validate download requests,
enabling malicious users to perform path traversal attacks and potentially
download arbitrary files from the system.
CVE-2021-43930 has been assigned to this vulnerability. A CVSS v3 base score of
4.9 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/
C:H/I:N/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Communications
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Russia
3.4 RESEARCHER
Michael Heinzl reported these vulnerabilities to CISA.
4. MITIGATIONS
Elcomplus has released an update to fix these vulnerabilities and recommends
users upgrade to Version 2.3.4 or later .
For more information, please contact Elcomplus support .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+YzeNLKJtyKPYoAQhSWg//YPvfdyCIsEMYHSftHSFQ5zNzXlT4pU8P
Qe7G3njSRBO0eqGuK5T/1FIGVqisWVnI0AXOI3T7ikk/ZpxpQzUkJ15JF4MMDNnU
UAUT4JzoB7/ILd9DtyhPCnqGQ2lUoeScIc96O/HhuMMP1e6ilfVix6TmZnxYEHMe
Tf06+3WE8t82SQq9DUDrr5oPWgTwkho2xGY764qDaB2fZTex/JMP9PbFFsQIVcsP
SFIsV1Nyo20MAA8Uc6nQ0pVcmaiUa+y2jdymR6T1mCF4WFDqtCHsrMM+aGQ08B4x
oS4pB+x256Tp8G4bG+V2fbWPRXl6SKqui2lLWC6gfwTmqBrtCJG0z9iEvH2ZOLng
7aUFzzCnPgrFoKgm43mlyiEa4xpwFgkJ793J/WpqLiI4DfScXiQr/b6Kkpaslzkh
Vqnk9nyUZR7AH1PgFDscQH9eMheZsDBPuKf1VLFmwjfxznrYdibQ/ioILaExiA30
gVsJHreX9qKRaD7UnhS8RpFHo0NzHo4ATT4VjT5LF5hV9DGQp/SIsbUD48nm88oK
pg1fOO/Z3bSl0r+wragBTqssYsB+DN9XYKvx5cNjzgJQZt6e7VvwIeeQ1t/o4vz9
jnzb39NTj7mXNCm3rDFRilcXokjDGHQoCHKzoxYuRok2W5ufvWVWPYH/0/ISRBLy
DEE0Hk8DM/o=
=TwhE
-----END PGP SIGNATURE-----
ESB-2022.1704 - [Appliance] Elcomplus SmartPPT SCADA Server: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1704
Advisory (icsa-22-109-05) Elcomplus SmartPPT SCADA Server
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Elcomplus SmartPPT SCADA Server
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-43938 CVE-2021-43937 CVE-2021-43934
CVE-2021-43932 CVE-2021-43930
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05
Comment: CVSS (Max): 9.8 CVE-2021-43932 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-109-05)
Elcomplus SmartPPT SCADA Server
Original release date: April 19, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Elcomplus
o Equipment: SmartPPT SCADA Server
o Vulnerabilities: Cross-site Scripting, Unauthorized Exposure to Sensitive
Information, Unrestricted Upload of File with Dangerous Type, Path
Traversal, Cross-site Request Forgery
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthorized
user to store dangerous data in a trusted database; potentially exposing
sensitive information; allow malicious users to upload arbitrary files; provide
attackers a way to traverse the file system to access files or directories that
are outside of the restricted directory; or result in exposure of data or
unintended code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of SmartPPT SCADA Server, an integrated voice and data
dispatch software, is affected:
o SmartPPT SCADA Server v1.4
3.2 VULNERABILITY OVERVIEW
3.2.1 CROSS-SITE SCRIPTING CWE-79
An authenticated attacker can inject arbitrary JavaScript into critical
parameters.
CVE-2021-43932 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.2 INFORMATION EXPOSURE CWE-200
An unauthenticated user can request various files from the server without any
authentication or authorization.
CVE-2021-43938 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
The server has a feature that allows the upload of application updates;
however, validation is not required, which enables malicious users to upload
arbitrary files.
CVE-2021-43934 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.4 PATH TRAVERSAL CWE-35
The software uses external input to construct a pathname that should be within
a restricted directory, but it does not properly neutralize dot slash sequences
that can resolve to a location that is outside of that directory.
CVE-2021-43930 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.5 CROSS-SITE REQUEST FORGERY CWE-352
The web application does not, or cannot, sufficiently verify whether a
well-formed, valid, consistent request was intentionally provided by the user
who submitted the request.
CVE-2021-43937 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/
C:H/I:L/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Communications
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Russia
3.4 RESEARCHER
Michael Heinzl reported these vulnerabilities to CISA.
4. MITIGATIONS
Elcomplus has released an update to fix these vulnerabilities and recommends
users upgrade to Version 2.3.4 or later .
For more information, please contact Elcomplus support .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+YwONLKJtyKPYoAQh1BA//XQBDq1R9pnooS4MfSXEIgPebU3VbhJ7C
iVdV8w2iwjHIQBNzLyk+nXNSrJGlPsTyR2gf+C/5Z4w2j7ZxtD7GvuOHUjo5at8F
aMmINm3ecyucjATQiPdDnHQPfTK/wDoVz6ZX5En9rkLs6e4cDKfmNmgupZg+7nEG
2TwqVfxp/EURVWDuPSHnMUA53k9h8xkthyOpoC8cBRBZMpAihEfKvL+EumCXuerj
ykKZsCKarPcjJJ0O500KXnQAZTcJ61i3Uyq+YCJBtLrpwsNMU/enlXkI6/HIe7DK
zuajQVtxrp2qTQ4GX10/XKgO/dVAPRPv+8qvgdc0aG0X8wwqOvkGwQkVwUKjSqA1
TXLhtmNZcl3FgAw1u9aiA6RcEXyLhrGRCANBoQl0Q1akZlizB2mp5d8RhgrDibj9
uQ2eprgmv6x06roPZm/8Z6kD6HSVUqCpwpdsZgH4lyBB3MPvCFKHyGxDPcmQRy0v
dgci9lwfkv9sKnQrKWYh33H306KdnHLvajcYPuw2HyilPhyqgZbHpqQBo7I+bhvy
DAPE+8NSIkcskl9P0uUUw3JUrKXDxxNSeMrEkAapo64kdVvHmRJOBqfIPrggr3yJ
SDgfA++/hiVtAw4I9nIoj2eNvamSdu2hneOwqIzzPazpXpHb0EedpwBU7rHTFNqt
U8wmiQZS7VE=
=EOWx
-----END PGP SIGNATURE-----
ASB-2022.0098 - [Win][UNIX/Linux] Oracle iLearning: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0098
Oracle iLearning Critical Patch Update
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle iLearning
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23437
Comment: CVSS (Max): 6.5 CVE-2022-23437 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle iLearning, versions 6.2, 6.3
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerability:
"This Critical Patch Update contains 1 new security patch for Oracle
iLearning. This vulnerability is remotely exploitable without
authentication, i.e., may be exploited over a network without
requiring user credentials." [1]
CVE-2022-23437
6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Supported versions that are affected are 6.2 and 6.3. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle iLearning. Successful
attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle iLearning.
Affects:
o Oracle iLearning 6.2, 6.3
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2022
https://www.oracle.com/security-alerts/cpuapr2022.html
[2] Text Form of Oracle Critical Patch Update - April 2022 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2022verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+T3uNLKJtyKPYoAQhp9A//VC09v6ubMZYFgLvbMLr42MoGKE4IoNw2
M//5y5Cd23PgMiicVl0uZqvOB6f9/7Ytce1zwwuCR/6Dyio+DsOjTx9IYISufrMK
ftJ72iyQ1/seWM6tWZvIRU3Ml+LWv1wWzxXyZajg6gquyKgTbXD0eYgU8J8oGYmV
oAZ+FzBbQmkKZ40KRM7QFM8YJ9xQl//9E585JGcXoWAcW+6mVIaE28zpPlXl537d
bQ2bfulxNNLRcy5NNDPJsKj2Rk8T0wEjZG46Y+Xi6z6QqqA2FnOGAjPd4O7Q9rKJ
kWygz8vcDTsrwdWP8FhAPN6ROVHq5xQT6W7Aj/vdJSm4IGV+1GuLdlBeuUCLQRuN
AjEMsiZ7jGAmVlcMNlAKJcy3kPmk9Hz9rLg6YmBf0o0SynKP7dLIBLDXup9DFUvi
48BoytTfGC8dN9wwveb+xLB11j1oDUWrxhIOMGm8XlN3UqxOarK+XdQ0sW6IjIVW
Y3cQXRFLnMoIPRY+4kxc7oRLN9wASJSQCT/DNYp2vrjJAse75J5YfQfMgQq7DRqa
KqTQiCL5TKEczKptQdLQ1/tln7YE5+nTWJ+2q4l8/spyXasoZxZZJ8bAEJq3aDNW
Joeg0PYJdxbHBQDrUUf+FBNTnMumGwAaFthBwBs1CRzBZPFJwnznLh2uLtuWhifC
JpfbIMMiekY=
=eLMn
-----END PGP SIGNATURE-----
ASB-2022.0097 - [Win][UNIX/Linux] Oracle Hyperion: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0097
Oracle Hyperion Critical Patch Update
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Hyperion BI+
Oracle Hyperion Calculation Manager
Oracle Hyperion Data Relationship Management
Oracle Hyperion Financial Management
Oracle Hyperion Infrastructure Technology
Oracle Hyperion Planning
Oracle Hyperion Profitability and Cost Management
Oracle Hyperion Tax Provision
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23305 CVE-2021-44832 CVE-2021-31812
CVE-2020-7760 CVE-2020-6950
Comment: CVSS (Max): 9.8 CVE-2022-23305 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle Hyperion BI+, versions prior to 11.2.8.0
o Oracle Hyperion Calculation Manager, versions prior to 11.2.8.0
o Oracle Hyperion Data Relationship Management, versions prior to
11.2.8.0, prior to 11.2.9.0
o Oracle Hyperion Financial Management, versions prior to
11.2.8.0
o Oracle Hyperion Infrastructure Technology, versions prior to
11.2.8.0
o Oracle Hyperion Planning, versions prior to 11.2.8.0
o Oracle Hyperion Profitability and Cost Management, versions
prior to 11.2.8.0
o Oracle Hyperion Tax Provision, versions prior to 11.2.8.0
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 12 new security patches for
Oracle Hyperion. 4 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials." [1]
CVE-2022-23305
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is Prior to 11.2.8.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Hyperion Data
Relationship Management. Successful attacks of this vulnerability can
result in takeover of Oracle Hyperion Data Relationship Management.
Affects:
o Oracle Hyperion Data Relationship Management Prior to 11.2.8.0
o Oracle Hyperion Infrastructure Technology Prior to 11.2.8.0
CVE-2021-44832
6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is Prior to 11.2.8.0.
Difficult to exploit vulnerability allows high privileged attacker
with network access via HTTP to compromise Oracle Hyperion BI+.
Successful attacks of this vulnerability can result in takeover of
Oracle Hyperion BI+.
Affects:
o Oracle Hyperion BI+ Prior to 11.2.8.0
o Oracle Hyperion Data Relationship Management Prior to 11.2.8.0
o Oracle Hyperion Financial Management Prior to 11.2.8.0
o Oracle Hyperion Infrastructure Technology Prior to 11.2.8.0
o Oracle Hyperion Planning Prior to 11.2.8.0
o Oracle Hyperion Profitability and Cost Management Prior to
11.2.8.0
o Oracle Hyperion Tax Provision Prior to 11.2.8.0
CVE-2020-6950
6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
The supported version that is affected is Prior to 11.2.8.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Hyperion Calculation
Manager. Successful attacks require human interaction from a person
other than the attacker. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle Hyperion Calculation Manager accessible data.
Affects:
o Oracle Hyperion Calculation Manager Prior to 11.2.8.0
CVE-2021-31812
5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
The supported version that is affected is Prior to 11.2.8.0. Easily
exploitable vulnerability allows unauthenticated attacker with logon
to the infrastructure where Oracle Hyperion Infrastructure Technology
executes to compromise Oracle Hyperion Infrastructure Technology.
Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of Oracle Hyperion Infrastructure Technology.
Affects:
o Oracle Hyperion Infrastructure Technology Prior to 11.2.8.0
CVE-2020-7760
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
The supported version that is affected is Prior to 11.2.9.0. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Hyperion Data
Relationship Management. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Oracle Hyperion Data Relationship Management.
Affects:
o Oracle Hyperion Data Relationship Management Prior to 11.2.9.0
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2022
https://www.oracle.com/security-alerts/cpuapr2022.html
[2] Text Form of Oracle Critical Patch Update - April 2022 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2022verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+IZ+NLKJtyKPYoAQi+IA//fVivENZYzYngvZodZZDDxN/2+13XYqdx
BCjf2/EZMR8iAoUrvzeFxHv9l5RMtKCm82IriU7+niRJJRj0p47ZZDw2f8+IS/BO
K+sPKUgOAhi4lSZA0RbA4n14u/vql4tuGIOdXog7HxfNBQv8B1SB9AplIA+UuqdY
Mw0VNNWHR2c5z/+ehCI/1XknHmqwJ33OQ31uN+p9LQisfxoSXfyV10RT8vFjN9lf
uIST45DPO0AU7557Rd3EGJC3F84FQ9hp8QTnqd5WqSEUmPcZR48fIU5YA8GYm5i0
vYcjS16rbxDRkXkevSk4nNopd2c5hV4dSBvqpt59tgiTuJuPUxbhb18q+TMtrQrQ
ZmHJ/1JJ/Si0+fV6rhQf+fj4POXPRkw9znQFfzPg+xXbhzwnjtVAUxIwQLCTOFvf
sZIsdTSPdV4yqDwQa6TMrbuRBpOPGEjc55nH22+Wof1EefFW9WMHtoL61qHpwFw1
qeucn4AHLGwHHdPDWAKckotcpz6nEnEorPE2tGy1k4KouNBK1UnPNFmCVlEmkkwP
ZAoqz4Qbj2YfiP1VrIlcm+TeWT8tbl0f3sYKcOXocxSG8abg7lSPu6RivpaVhBOI
Bvhh312f8xeuSjxMbna4DvcNqpcXOfTMV0boqDzydWx3dpjUJkjwuOpH2rmGy+ph
Xio9g8lbzTI=
=wQh0
-----END PGP SIGNATURE-----
ASB-2022.0096 - [Win][UNIX/Linux] Oracle Hospitality Applications: CVSS (Max): 8.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0096
Oracle Hospitality Applications Critical Patch Update
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Hospitality Suite8
Oracle Hospitality Token Proxy Service
Oracle Payment Interface
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2021-44832 CVE-2021-41184 CVE-2021-37714
CVE-2020-13936
Comment: CVSS (Max): 8.8 CVE-2020-13936 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle Hospitality Suite8, versions 8.10.2, 8.11.0-8.14.0
o Oracle Hospitality Token Proxy Service, version 19.2
o Oracle Payment Interface, versions 19.1, 20.3
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 6 new security patches for
Oracle Hospitality Applications. 2 of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be exploited
over a network without requiring user credentials." [1]
CVE-2020-13936
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 19.2. Easily exploitable
vulnerability allows low privileged attacker with network access via
HTTP to compromise Oracle Hospitality Token Proxy Service. Successful
attacks of this vulnerability can result in takeover of Oracle
Hospitality Token Proxy Service.
Affects:
o Oracle Hospitality Token Proxy Service 19.2
CVE-2021-37714
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The supported version that is affected is 19.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access via
HTTP to compromise Oracle Hospitality Token Proxy Service. Successful
attacks of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS) of Oracle
Hospitality Token Proxy Service.
Affects:
o Oracle Hospitality Token Proxy Service 19.2
CVE-2021-44832
6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 8.13.0 and 8.14.0. Difficult
to exploit vulnerability allows high privileged attacker with network
access via TCP to compromise Oracle Hospitality Suite8. Successful
attacks of this vulnerability can result in takeover of Oracle
Hospitality Suite8.
Affects:
o Oracle Hospitality Suite8 8.13.0, 8.14.0
o Oracle Hospitality Token Proxy Service 19.2
o Oracle Payment Interface 19.1, 20.3
CVE-2021-41184
6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Supported versions that are affected are 8.10.2 and 8.11.0-8.14.0.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Hospitality Suite8.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Oracle Hospitality
Suite8, attacks may significantly impact additional products (scope
change). Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
Hospitality Suite8 accessible data as well as unauthorized read
access to a subset of Oracle Hospitality Suite8 accessible data.
Affects:
o Oracle Hospitality Suite8 8.10.2, 8.11.0-8.14.0
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2022
https://www.oracle.com/security-alerts/cpuapr2022.html
[2] Text Form of Oracle Critical Patch Update - April 2022 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2022verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+IVONLKJtyKPYoAQg83BAAnRZsOqXBb49fbivAOYp9ruViKAzE0wHR
OF+aCIneWjTtf8p4oJGl146LCO9bHWjyrosWMlQ0a6KekI3Xs/pBguEVe10Q2D8r
q+3hfwYirWlBmprLHwR6AwUYOObzL4/MqfFein4rxFNwtacPSAf+3T7Z5NBVKQ7t
7hWkHeFtT9o0wRZp87YVDtnOIZ3v90n2udulkJ48WEa1/PtUaE1bWAflk66VmvjC
HpuNiqPmM5YqncyLSnbSwmIW7LkE/VVq2v8AQCzNHrxcQ6GnaFVr2+zESeVRM1hh
rG5VedDfsdfErr1LWFnmjI6iANJnY/JMNuhfonX77ahRnjC6x6glz+pcNLk8BslK
K4tZVrka3KtxJ/RmMuvr7caVseW+Gkpjw3KydDfgsy/9Iqd8wl4JKr66sIcjCHlG
xTBHH1NDXyPrrASBCexZe8NjB3ukhZAESXExEdB4ozS5Zo9rJotQD6G309ME8BNR
kMkYPlmnGxi6O5OjMfIAw1SF435bRtO27xd3QsOvaCeqFEVoSH9CcKCiw5tpeWcT
zp5e8YR6Ps9HHBbF/FvKQzwmkgB2mUMlYaG6VJlwCFgJWGn7vF/YL7r8XDHi4MNN
unReBiucX5nSkKF0tFnP+o0JIFOMRYvLAnyVqDzEAqxQqjqiIH5VYwpVR6qQ8bPK
g29nipq0dmA=
=Sx9q
-----END PGP SIGNATURE-----
ASB-2022.0095 - [Win][UNIX/Linux] Oracle Health Sciences Applications: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0095
Oracle Health Sciences Applications Critical Patch Update
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Health Sciences Empirica Signal
Oracle Health Sciences InForm
Oracle Health Sciences InForm Publisher
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2021-44832 CVE-2021-3711
Comment: CVSS (Max): 9.8 CVE-2021-3711 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle Health Sciences Empirica Signal, versions 9.1.0.6,
9.2.0.0
o Oracle Health Sciences InForm, versions 6.2.1.1, 6.3.2.1,
7.0.0.0
o Oracle Health Sciences InForm Publisher, versions 6.2.1.1,
6.3.1.1
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 3 new security patches for
Oracle Health Sciences Applications. 1 of these vulnerabilities may
be remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user credentials." [1]
CVE-2021-3711
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 6.2.1.1 and 6.3.1.1. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via TLS to compromise Oracle Health Sciences InForm
Publisher. Successful attacks of this vulnerability can result in
takeover of Oracle Health Sciences InForm Publisher.
Affects:
o Oracle Health Sciences InForm Publisher 6.2.1.1, 6.3.1.1
CVE-2021-44832
6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 9.1.0.6 and 9.2.0.0.
Difficult to exploit vulnerability allows high privileged attacker
with network access via HTTP to compromise Oracle Health Sciences
Empirica Signal. Successful attacks of this vulnerability can result
in takeover of Oracle Health Sciences Empirica Signal.
Affects:
o Oracle Health Sciences Empirica Signal 9.1.0.6, 9.2.0.0
o Oracle Health Sciences InForm 6.2.1.1, 6.3.2.1, 7.0.0.0
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2022
https://www.oracle.com/security-alerts/cpuapr2022.html
[2] Text Form of Oracle Critical Patch Update - April 2022 Risk
Matrices
https://www.oracle.com/security-alerts/cpuapr2022verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+EouNLKJtyKPYoAQjedQ/9EJKUUlwtEDNAje2K2yNIr/MiVe1+2vgV
3LiyHabFj0Py07tOaSp6ill3N88cq9XcehQFD41p/udIVZsD2XBp0HHfNnICysG5
Z0tEbKiU7LVMYkiL3H0n8FpbFfBX0E7o0Sedp5g7uj8abzG/PxjI1rNRCWPePUdC
nC8jfQp7xH16aeNHR5JRTJulXPPGTWnXd3JUZknmKfAYvYZ6ylfsDMtuGGj5Zd4n
LZMT7fnMI7omImV6YYWYYDgwStfOkjMSvAs66QbDLmeAcgjae9vvUTHK7wcSELWc
pPlz//0RpSwRSSIGlSbdJKHTD38PotXF7Gu3HIGGsLPKTw25a8m/wPHsTp34lXlO
kUZSUKFTwRiXR41t6eAWsEOY5BAOnhsiTZCz4mb6iENv3oTSAwp1bNBeY+5wvlAN
E6BrBa7iwnFyQATehWmSISd91QaQanzh5fSwONK6w/uQExOmolqA0Fm+mAiFbQVF
RZIj+YV+GI6rjkWm80fcdLQON4EHVNhdJBoiD7w9K5pJ7JJVIH4BIG/KGNvCqQy9
/k6vWkLzZ9FqqOfHhmJNkwTdh7elsi2ZB2p7vlLfm/8LNIgg7ASfLSjdgzI66NHM
LFpQMwnYStyib/Yq996hejrE18BVmV2GG5j6liQAslu6UF0UDPrhE1RC6FFjR6hb
Amk30zmG/XY=
=Z5ud
-----END PGP SIGNATURE-----
ESB-2022.1703 - [SUSE] SDL2: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1703
Security update for SDL2
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SDL2
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33657
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221218-1
Comment: CVSS (Max): 7.8 CVE-2021-33657 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SDL2
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1218-1
Rating: important
References: #1198001
Cross-References: CVE-2021-33657
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Desktop Applications 15-SP3
SUSE Linux Enterprise Module for Desktop Applications 15-SP4
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for SDL2 fixes the following issues:
o CVE-2021-33657: Fix a buffer overflow when parsing a crafted BMP image (bsc
#1198001).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1218=1
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1218=1
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1218=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1218=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1218=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1218=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1218=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1218=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1218=1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-1218=
1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1218=
1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP4:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-1218=1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-1218=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1218=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1218=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1218=1
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o openSUSE Leap 15.4 (x86_64):
libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1
libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-32bit-2.0.8-150200.11.6.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o openSUSE Leap 15.3 (x86_64):
libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1
libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-32bit-2.0.8-150200.11.6.1
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Manager Proxy 4.1 (x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1
libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1
libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64
ppc64le s390x x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
SDL2-debugsource-2.0.8-150200.11.6.1
libSDL2-2_0-0-2.0.8-150200.11.6.1
libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1
libSDL2-devel-2.0.8-150200.11.6.1
References:
o https://www.suse.com/security/cve/CVE-2021-33657.html
o https://bugzilla.suse.com/1198001
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+Bi+NLKJtyKPYoAQj1MA/+Pl/OJ4Y+aniuosW3eYvo3SvJ7eGfjENJ
PovTBnBDQViL1d4PdLte8OwUtumxKaXdsSAEs4D5rzdy9UVG0bQgnVWkPE8l09S3
iqcfNV2PjQ1CKgGQ5jUr9S8UO37Z4zBUT6Fc1MtHuBnmpBE4sDxnnvDzh8vhEBWj
QIPgeo23vEf9tzbHwRcQ3Uz31ElZOw1PNc4//B80AxIImJufhID6298pKmb1YXGA
5WGw1CtsQNkX84BZfmIo6ZIalE6nAmJuVrBwqTXMr9JyIjFpq6pKXeq9zO2RPdz1
LvZfjLQzClpyipBY9kjbwyKbBf1nQ91nJ5GU7g/txabz8KZiTBDvo/BAx7yOudVW
ntHqf4KAjMP3NbL6BXjOdLDPzPd+hya8w96bmmqU7zNSYZwWVwd9eNznCUyygLBu
pf3fcJDryDUecZIC2mjPur84lDeh+GuMBjxHNc5V9rcjj0uVDDpBsgE+FgjhDLqa
1SLSyxyEIxG8cHrlBnsZQHsDDgGfxuaDsZ38e71D/Q81UwOTwEU4HA7dHpYP8wBV
37xAgcR71js/zvzXMP1TZgE1n9YIinsDAz/dWWEjahCiUqONUYIpnr0Hgz55vVYE
U8qEPi6MjzR4CpDDzP+h4sX5AnmMoZ45NLDgyt7qiRIPbqLhSIXZEtGweZ70AmNP
VTwP/oPbTlo=
=tFNl
-----END PGP SIGNATURE-----