AusCERT - Security Bulletins

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1718 Advisory (icsa-22-104-01) Delta Electronics DMARS 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Delta Electronics DMARS Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-1331 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-01 Comment: CVSS (Max): 5.5 CVE-2022-1331 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-01) Delta Electronics DMARS Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.5 o ATTENTION: Low attack complexity o Vendor: Delta Electronics o Equipment: DMARS o Vulnerability: Improper Restriction of XML External Entity Reference 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of DMARS, a Motion Controller program development tool, are affected: o DMARS: All versions prior to v2.1.10.24 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 In four instances the affected product does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure. CVE-2022-1331 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEARCHER Kimiya, working with Trend Micro's Zero Day Initiative, reported this vulnerability to CISA. 4. MITIGATIONS Delta Electronics recommends users update to the latest version. Users can obtain the update by contacting Delta Electronics' corresponding FAE (Field Application Engineer) or solution center. Delta Electronics also recommends the following: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o Never connect programming software to any network other than the network intended for that device. o When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices. CISA recommends users take the following measures to protect themselves from social engineering attacks: o Only use project files from trusted sources. o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZreNLKJtyKPYoAQjiWA/7BLCqo3uIS8pk4t/qF4v8l35g+tBPlVT5 19HgfHxXxSsfu0K6yuX4knb5Mg8zAK8xNYisw8IknIJS9KHksA2PtcoM3ENVPgT5 lI9XEVf9U/Nx0SIoKieBT1GO4N6QlTNLKgcf9iJEFvTOIDhZMC+bRZlhfChB5qxQ swLRH5VNLzjphrcw33YTnvqRxQQqHvFLZb1zsRRKGX3vMsKnDJ3mMqzZBntVyKU6 CR0bz2I7vSmNSRbBiSou5No5/o7tiThKa6l+Zpt8s9SYR+1hPXXvCua7S2F/Kdtf s4ReCWV9Sphv90mCs2q7aK0M3k5U3hNPIPUAo/Y4Wst4qpyAVa/8bzLvVHnlehB3 Ui+2a8aV8v8y+77F0DtxkxRyI2T6OXGpAt0cFK7lGsuxZYeVS15HKLJTBSUzXBY4 OgfmX5NAi2U4kd8F9m9ZE7eoNJEIgaJHKwhwnBGGsvu8PJMywrzNMIZPjJK8FgdU IHz/SkgPRN1q1gEjEviyPvLJyQg0uraHKIYhx6UVfKlqRFap7jyd6Ere45jElu9x N3tmGCnS+utkZ0/XYrZkC8TSxELRe2hr2d6C7F1Sbnus7rHD9s9tbgpoVyhoEbyR 9e7W6cwHjtBh2pCFR87D9IgaOM6iIfWi2/AKQjTFnBDAzbc3K4RohrdhxcLVFmlc CCqSxJ7d84s= =KzWk -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1717 Advisory (icsa-22-104-02) Johnson Controls Metasys 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Johnson Controls Metasys Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-36205 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-02 Comment: CVSS (Max): 8.1 CVE-2021-36205 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-02) Johnson Controls Metasys Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.1 o ATTENTION: Exploitable remotely o Vendor: Johnson Controls Inc. o Equipment: Metasys ADS/ADX/OAS Servers o Vulnerability: Incomplete Cleanup 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to use a session token that has not been cleared upon log out of an authenticated user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Johnson Controls reports this vulnerability affects the following Metasys ADS/ ADX/OAS servers for building management systems: o All Metasys ADS/ADX/OAS Servers: Versions 10 and 11 3.2 VULNERABILITY OVERVIEW 3.2.1 INCOMPLETE CLEANUP CWE-459 Under certain circumstances the session token is not cleared upon log out. CVE-2021-36205 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Ireland 3.4 RESEARCHER Johnson Controls, Inc. reported this vulnerability to CISA. 4. MITIGATIONS Johnson Controls recommends users update the following: o Update all Metasys ADS/ADX/OAS Servers: Versions 10 with patch 10.1.5 o Update all Metasys ADS/ADX/OAS Servers: Versions 11 with patch 11.0.2 For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2022-06 v1 Johnson Controls recommends taking steps to minimize risks to all building automation systems. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZnuNLKJtyKPYoAQghRxAAjZpf1f3eehJkXyE6ad1FwpPxIT51t0eF jMkEUvbEkrD0SHB8Eq4+wMSgdA/5xtTjhpASOTs36CKaOlJgvQ6oaeWt9HakzsZX VcpRRL/ftQ3OKt67CBNhZ/OTrGoHzT3KH8Mwe8RrGeX2Hh/55e0dIIMQyU8kZq4S yfmhdtaaDQEEsr93NcGk8Q2nYAOOyaN85l9df2QMAXLuGmCsPdMB3vskSZIt4tgX 8qtsjR7olGEAHZdXjp1azO9w1xaOQQ16io3+Irac8ZHei+iKpPJpv+8vyTKczAWd /6m7cFYLBj2pV6quT09FxJ0rjbWzcgWU0fKvU6TQDFGB2ztIeE6vpbGZNOOe7DVZ IHiZQ2BrpYb/34GRHlPL0MsUS+fyy7k9LjZwN4p41iTXZ0w2+daxc18aXzhF/opY lsUd6BHtuzBzGogLJ/9/G8Utw44HGcKv37JhJw93UV3kblp44rKFjWmCyfPrdM3L n5FAl7s0FLlA5VzcEl8WhtOsJZNiV3bVl8yjBUkVXcfmpNCpo9VKBrJQPCdHxj3D L9IS8cQOUebnnH6OGtwgfTMROx+k8Bx2cjx+O+nT8MsuoiB/Lgb5/e9Z+t6YcbQS RyaONBwOYBKO+pqzG6GIBEnabZVXEh1xJ2+EdEEEpt7JlXC6PiWXEmzoT7KLZ9Wd wlwwtmAGbL4= =Xc5D -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1716 Advisory (icsa-22-104-03) Red Lion DA50N 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Lion DA50N Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-27179 CVE-2022-26516 CVE-2022-1039 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-03 Comment: CVSS (Max): 9.6 CVE-2022-1039 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-03) Red Lion DA50N Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.6 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Red Lion o Equipment: DA50N o Vulnerabilities: Insufficient Verification of Data Authenticity, Weak Password Requirements, Use of Unmaintained Third-Party Components, Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in data compromise, data modification, and a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Red Lion DA50N, a networking gateway, are affected: o DA50N: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment. CVE-2022-26516 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:R/S:C/ C:H/I:H/A:H ). 3.2.2 WEAK PASSWORD REQUIREMENTS CWE-521 The weak password on the web user interface can be exploited via HTTP or HTTPS. Once such access has been obtained, the other passwords can be changed. The weak password on Linux accounts can be accessed via SSH or Telnet, the former of which is by default enabled on trusted interfaces. While the SSH service does not support root login, a user logging in using either of the other Linux accounts may elevate to root access using the su command if they have access to the associated password. CVE-2022-1039 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/ C:H/I:H/A:H ). 3.2.3 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104 This product relies on an outdated, unmaintained Linux kernel v4.9.119 that contains multiple vulnerabilities that may impact security. 3.2.4 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 A malicious actor having access to the exported configuration file may obtain the stored credentials and thereby gain access to the protected resource. If the same passwords were used for other resources, further such assets may be compromised. CVE-2022-27179 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:U/ C:L/I:L/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Ron Brash of aDolus Technology Inc. reported these vulnerabilities to CISA. 4. MITIGATIONS Red Lion notes the DA50N series product is at end-of-life and does not intend to release a software update to address these vulnerabilities. Users are encouraged to apply workarounds and mitigations or upgrade their device to DA50A and DA70A. Red Lion has provided the following workarounds to help mitigate the risk of these vulnerabilities: o Do not install image files that are obtained from sources other than the official Red Lion website. o When downloading images from Red Lion's website, ensure the validity of the server's TLS certificate. o If package files or images are to be stored before deployment, ensure they are stored in a secure manner. o Minimize the risk of unauthorized installation via SD card by limiting physical access to the device. o Ensure the default UI password is changed to one meeting standard security practices. o Change the admin, rlcuser and techsup account passwords from their default values. o Disable the SSH service and keep the telnet service disabled if they are not required. o Do not re-use the same password for securing multiple resources. o Limit access to configuration files that contain valuable credentials. o Ensure the use of secure credentials when configuring optional services. o Enable only the minimum set of optional services required for the application. For additional information, refer to Red Lion's security alert . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZkuNLKJtyKPYoAQihRw//YXeFA8o3kSnzJfDLZuV9nIhhiYTH3kFj AoXMTUXMrxMaxFz3hAktH5KM8gce/Ft2NXQi2aJBxldsmUmm5bT1W6CukukBajYV rT0VvLzyKAef64lS208Vo732GTaj6H295Hh8kUUaoJAwUwbgaYX+pi6/OZbKY4lh LJuTzqkTvaBew09KoWiLawNlTV+HpgNa5TjZUgfeSSXpRU3Tu54QaowC0jOp/+nn Vevo3MJ/i+h1TBy3HkP+xRW7jBQOAErUTwDlspqL9ZfeTezppVWiJnabWpTeZ0f9 5Dyq7LbF5ZMONhIopYTQ4H7DmTj6rEd3SyQhBejB003dIJLMMhFXXUEKGiVdyMmR cdD85RBEGxanKBWD1MqA/VdKuKqiHGbSGpb/OEGqWpqQJVfIuey6l/AJCLLaqS70 OHnhz6hYmlp+XCqr7/M3/oZ8mHf+fvk0KDEDwEhizkpoUCWfWWI5q61jibFP1YWU iXyqZqFK5Q4xYIk1gTTOD02s9RdittSsWcJmIOnpbmxQpVWCT54lcMzLHo0/m4Hi SplrlU1BfW8ij4cXNX5FEMYepZckHAeCFXrYH1Vk9R4InXFNW1mPX1RI+Bv7Wstx 5CYPhIKwek8oXVa4Aq/6u7Pc7t9LENGVgNqDHG42J3D47Y+QNDTYVeZD79I+hpW9 8juCqDiCdpg= =I1Ux -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1715 Advisory (icsa-22-104-04) Siemens SCALANCE FragAttacks 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SCALANCE FragAttacks Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2020-26147 CVE-2020-26146 CVE-2020-26145 CVE-2020-26144 CVE-2020-26143 CVE-2020-26141 CVE-2020-26140 CVE-2020-26139 CVE-2020-24588 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04 Comment: CVSS (Max): 6.5 CVE-2020-26140 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-04) Siemens SCALANCE FragAttacks Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.5 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: SCALANCE family devices o Vulnerabilities: Improper Authentication, Injection, Improper Validation of Integrity Check, Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and traffic manipulation. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: o SCALANCE W721-1 RJ45: All versions o SCALANCE W722-1 RJ45: All versions o SCALANCE W734-1 RJ45: All versions o SCALANCE W738-1 M12: All versions o SCALANCE W748-1 M12: All versions o SCALANCE W738-1 RJ45: All versions o SCALANCE W761-1 RJ45: All versions o SCALANCE W774-1 M12 EEC: All versions o SCALANCE W774-1 RJ45: All versions o SCALANCE W778-1 M12 EEC: All versions o SCALANCE W786-1 RJ45: All versions o SCALANCE W786-2 RJ45: All versions o SCALANCE W786-2 SFP: All versions o SCALANCE W786-2IA RJ45: All versions o SCALANCE W788-1 M12: All versions o SCALANCE W788-1 RJ45: All versions o SCALANCE W788-2 M12: All versions o SCALANCE W788-1 M12 EEC: All versions o SCALANCE W788-2 RJ45: All versions o SCALANCE W1748-1 M12: All versions prior to v3.0.0 o SCALANCE W1750D M12: All versions prior to v8.7.1.3 o SCALANCE W1788-1 M12: All versions prior to v3.0.0 o SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0 o SCALANCE W1788-2 M12: All versions prior to v3.0.0 o SCALANCE W1788-2IA M12: All versions prior to v3.0.0 o SCALANCE WAM766-1: All versions o SCALANCE WAM766-1 EEC: All versions o SCALANCE WUM763-1: All versions o SCALANCE WUM766-1: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require the A-MSDU flag in the plaintext QoS header field to be authenticated. Against devices that support receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an adversary can abuse this to inject arbitrary network packets. CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/ I:L/A:N ). 3.2.2 IMPROPER AUTHENTICATION CWE-287 An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. CVE-2020-26139 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74 An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.4 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354 An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. CVE-2020-26141 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.6 IMPROPER INPUT VALIDATION CWE-20 An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.7 IMPROPER INPUT VALIDATION CWE-20 An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. CVE-2020-26145 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.8 IMPROPER INPUT VALIDATION CWE-20 An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is vulnerable to this attack by design. CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.9 IMPROPER INPUT VALIDATION CWE-20 An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. CVE-2020-26147 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/ I:H/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens recommends updating their software to the latest version where available: o SCALANCE W1748-1 M12: Update to v3.0.0 or later o SCALANCE W1750D M12: Update to v8.7.1.3 or later o SCALANCE W1788-1 M12: Update to v3.0.0 or later o SCALANCE W1788-2 EEC M12: Update to v3.0.0 or later o SCALANCE W1788-2 M12: Update to v3.0.0 or later o SCALANCE W1788-2IA M12: Update to v3.0.0 or later o SCALANCE WAM766-1: Update to v1.2 or later o SCALANCE WAM766-1 EEC: Update to v1.2 or later o SCALANCE WUM763-1: Update to v1.2 or later o SCALANCE WUM766-1: Update to v1.2 or later Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls o When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and CVE-2020-26144 For more details regarding the FragAttacks vulnerabilities refer to: o Fragment and Forge Breaking Wi-Fi Through Frame Aggregation and Fragmentation As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the Siemens operational guidelines for industrial security and follow the recommendations in the product manuals. For additional information, please refer to Siemens Security Advisory SSA-913875 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZguNLKJtyKPYoAQigWw/+Peivv5zbvGY5M1jhHDTW2cbOuSb9xGiZ 3OItKzD2aoFb/REKgdgldY9Mupk/s3wZ+kGT8wbFPQEkDmNhsSfXPRuO217TKfcC CDngb+/hl9Dw/Yo9L74C51g0nOI4EgnlYh0ahCFsDG5KceuVLt2viZ7mqU9SUKLQ R0jSaNCHJuqbWv2zLJ4K43R4HJCwC4smX1ENp0b8O2gL66jrC5TjICw7eFU0s7rV gfrNjk12ETMmXmmULDmNz8qo68+yQdxHt2uDWEKrsZ129c6lZxWsNFO1IkYYDg6Z jy2JSWmgwLxWtmhVXAeklhM/YuCXzNNNjZKRcKdagS9b1A5vrFrQfL9rEvujJkpq DKkGtmhnqCdrDUuz/z/l/5jpF5KQhZezB37IEb007OBXndTZCvyATRGKTTN7uTo2 8sRd+EYAqpcMlo13yO17jiL6ZYSxn1aBz8WYfjtbi2cgIz4ZXb63cRMkhXSjCn9Y SOiAQPk1D10JVgQEAES9EMlXwu0mrnfwuOPJlHVvqN15l5lK+/pQP1n3Iblo+Iaz jV/vV0KEk1ny85sjxXBBdgWElJz47BbdShwHHts9Hz4D5ed4NwjpUEXlf1ApQaTh 5EsSnMjotNq9soQBXHDmcQqcbxnY56TUZ1iYWTqMNS3e/R2OgTwSk4rBX8ziw0hT Ompnn5g4sA4= =q94g -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1714 Advisory (icsa-22-104-05) Siemens OpenSSL Vulnerabilities in Industrial Products 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens OpenSSL Vulnerabilities in Industrial Products Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-3449 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-05 Comment: CVSS (Max): 5.9 CVE-2021-3449 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-05) Siemens OpenSSL Vulnerabilities in Industrial Products Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.9 o ATTENTION: Exploitable remotely/high attack complexity o Vendor: Siemens o Equipment: Siemens Industrial Products o Vulnerability: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an unauthenticated attacker to cause a denial-of-service condition if a maliciously crafted renegotiation message is sent. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports this vulnerability affects the following products: o RUGGEDCOM CROSSBOW Station Access Controller: All versions since and including v5.2.0 only when running on ROX v2.14.0 o RUGGEDCOM RCM1224: Versions 6.2 through 7.1 o SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions prior to v1.1 o SCALANCE M804PB (6GK5804-0AP00-2AA2): Versions 6.2 through 7.1 o SCALANCE M812-1 ADSL-Router (Annex A) (6GK5812-1AA00-2AA2): Versions 6.2 through 7.1 o SCALANCE M812-1 ADSL-Router (Annex B) (6GK5812-1BA00-2AA2): Versions 6.2 through 7.1 o SCALANCE M816-1 ADSL-Router (Annex A) (6GK5816-1AA00-2AA2): Versions 6.2 through 7.1 o SCALANCE M816-1 ADSL-Router (Annex B) (6GK5816-1BA00-2AA2): Versions 6.2 through 7.11 o SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2): Versions 6.2 through 7.1 o SCALANCE M874-2 (6GK5874-2AA00-2AA2): Versions 6.2 through 7.1 o SCALANCE M874-3 (6GK5874-3AA00-2AA2): Versions 6.2 through 7.1SCALANCE M876-3 (6GK5876-3AA02-2BA2): Versions 6.2 through 7.1SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2): Versions 6.2 through 7.1SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2): Versions 6.2 through 7.1SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2): Versions 6.2 through 7.1 o SCALANCE S602: All versions since and including v4.1 o SCALANCE S612: All versions since and including v4.1 o SCALANCE S615 (6GK5615-0AA00-2AA2): Versions 6.2 through 7.1 o SCALANCE S623: All versions since and including v4.1 o SCALANCE S627-2M: All versions since and including v4.1 o SCALANCE SC622-2C (6GK5622-2GS00-2AC2): Versions 2.0 through 2.1.4 o SCALANCE SC632-2C (6GK5632-2GS00-2AC2): Versions 2.0 through 2.1.4 o SCALANCE SC636-2C (6GK5636-2GS00-2AC2): Versions 2.0 through 2.1.4 o SCALANCE SC642-2C (6GK5642-2GS00-2AC2): Versions 2.0 through 2.1.4 o SCALANCE SC646-2C (6GK5646-2GS00-2AC2): Versions 2.0 through 2.1.4SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0): Versions 2.0 through 3.0 o SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0): Versions 2.0 through 3.0 o SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0): Versions 2.0 through 3.0 o SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0): Versions 2.0 through 3.0 o SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0): Versions 2.0 through 3.0 o SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0): Versions 2.0 through 3.0 o SCALANCE W-700 IEEE 802.11n family: All versions since and including v6.5 o SCALANCE XB-200: All versions prior to v4.3 o SCALANCE XC-200: All versions prior to v4.3 o SCALANCE XF-200BA: All versions prior to v4.3 o SCALANCE XM-400: All versions prior to v6.4 o SCALANCE XP-200: All versions prior to v4.3 o SCALANCE XR-300WG: All versions prior to v4.3 o SCALANCE XR-500 Family: All versions prior to v6.4 o SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Versions 1.1 through 1.6 o SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Versions 1.1 through 1.6 o SIMATIC CP 1242-7 GPRS V2 (6GK7242-7KX31-0XE0): Versions 3.1 through 3.3 o SIMATIC CP 1243-1 (incl. SIPLUS variants): All versions since and including v3.1 o SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0): Versions 3.1 through 3.3 o SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0): Versions 3.1 through 3.3 o SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): All versions since and including v3.1 o SIMATIC CP 1542SP-1 IRC (incl. SIPLUS variants): All versions since and including v2.1 o SIMATIC CP 1543-1 (6GK7543-1AX00-0XE0): Versions 2.2 through 3.0 o SIMATIC CP 1543SP-1 (incl. SIPLUS variants): All versions since and including v2.1 o SIMATIC CP 1545-1 (6GK7545-1GX00-0XE0): All versions since and including v1.0 o SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): All versions prior to V17.0 Upd 2 o SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): All versions prior to V17.0 Upd 2 o SIMATIC HMI KTP Mobile Panels: All versions prior to v17.0 Upd 2 o SIMATIC Logon: Versions 1.6 Upd 2 through 1.6 Upd 5 o SIMATIC MV540 H (6GF3540-0GE10): All versions prior to v3.1 o SIMATIC MV540 S (6GF3540-0CD10): All versions prior to v3.1 o SIMATIC MV550 H (6GF3550-0GE10): All versions prior to v3.1 o SIMATIC MV550 S (6GF3550-0CD10): All versions prior to v3.1 o SIMATIC MV560 U (6GF3560-0LE10): All versions prior to v3.1 o SIMATIC MV560 X (6GF3560-0HE10): All versions prior to v3.1 o SIMATIC PCS 7 TeleControl: All versions o SIMATIC PCS neo: All versions prior to v3.1 o SIMATIC PDM: Versions 9.1 Upd 7 through 9.2 SP 1 o SIMATIC Process Historian OPC UA Server: All versions 2019 through 2020 Upd 1 o SIMATIC RF166C: All versions o SIMATIC RF185C: All versions o SIMATIC RF186C: All versions o SIMATIC RF186CI: All versions o SIMATIC RF188C: All versions o SIMATIC RF188CI: All versions o SIMATIC RF360R: All versions o SIMATIC RF600R family: All versions prior to v4.0 o SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All versions prior to v4.5.2 o SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant): All versions prior to v2.9.3 o SIMATIC WinCC Runtime Advanced: All versions prior to v17 Update 1 o SIMATIC WinCC TeleControl: All versions o SINAMICS Connect 300: All versions o SINEC NMS: Versions 1.0 SP1 through 1.0 SP2 o SINEMA Server: Versions 14 through 14 SP3 o SINUMERIK OPC UA Server: All versions prior to v3.1 SP1 o SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0): Versions 2.2 through 3.0 o SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): Versions 2.0 through 2.2 o TIA Administrator: All versions prior to v1.0 SP4 o TIM 1531 IRC (6GK7543-1MX00-0XE0): Versions 2.0 through 2.2 3.2 VULNERABILITY OVERVIEW 3.2.1 NULL POINTER DEREFERENCE CWE-476 An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension, where it was present in the initial ClientHello, but includes a signature_algorithms_cert extension, then a NULL pointer dereference will occur, leading to a crash and a denial-of-service condition. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled, which is the default configuration. OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. This vulnerability is fixed in OpenSSL 1.1.1k. CVE-2021-3449 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated. the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:N/I:N/A:H ) 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens has released updates for several affected products and recommends updating to the latest versions available. Siemens is preparing further updates and recommends countermeasures for products where updates are not, or not yet available. Please see Siemens SSA-772220 to determine if there is an update available. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security , and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/ industrialsecurity For further inquiries on security vulnerabilities in Siemens products and solutions, please contact Siemens . Additional Reference: SSA-772220 (PDF) Additional Reference: SSA-772220 (TXT) Additional Reference: SSA-772220 (CSAF) CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZceNLKJtyKPYoAQh/hg/+JYijf7fuy9LdJHt+P5QT33e7XlBEonyU jg6tq+lDDGmZjAQqEopHiID5Yl4xlCdxj4uX3dILQvGXzYMNNIrZgn5SaNoaduZP RqsRDdo/Bwh+MmkNzY73ES2W1T8dp0LcJG4LFQb2SDDnKO2n/VWZ53IKiA7KZjTQ Eu/hqfW8bl32ZK+jL5tf9iNtGXWw+lS55QgoQBow102NzPoIgAZGuqazMXKXP6nm rGKW0RTRIEQOUBg6MYo0sEHjCfkEOQZlrO4E53+wODVemh3i84Ogm3HGZYf0qNau UA8QIGmKUIW1xw2UoP55/GedZQMwbWUFzSaWWh7ptmH6kw98Fj0C+tiZG2cM9apu O5Mx5df3epT3bhSwUkeEBPSMrjHR84zyr49HIReTB1j004N422DcvzjZ3YO0E+Fg whVJXWvVn7yFWPJ1zJWrSLqKHihOk3LLN/2zjLuikfVaYN+U0+KQEWrAHilQeBfT RxWm013Iz9sky2PJIdZvNIB6FeojDBs+uzkBcbuepNTRAVscrS5/w+Mavt3blV8u S0ikq7Ine4KNf+K1onyi/r/0IQtqJKyMYe6hFApxidyTuAb/1MRqTWqArlmdG9uH Ch6049oIxT2PQSqMEqFDm/1qfpTToWVyr/rG/txQ8rufGMa84lh5hei8ZkZoU9Q6 ABbo9DT+R/U= =ueqU -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1713 Advisory (icsa-22-104-06) Siemens PROFINET Stack Integrated on Interniche Stack 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens PROFINET Stack Integrated on Interniche Stack Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-25622 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-06 Comment: CVSS (Max): 5.3 CVE-2022-25622 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-06) Siemens PROFINET Stack Integrated on Interniche Stack Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.3 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: PROFINET Stack Integrated on Interniche Stack o Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: o SIMATIC CFU DIQ (6ES7655-5PX31-1XX0): All versions o SIMATIC CFU PA (6ES7655-5PX11-0XX0): All versions o SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants): All versions o SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants): All versions prior to v6.0.10 o SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants): All versions o SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants): All versions o SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants): All versions o SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All versions prior to v2.0.0 o SIMATIC TDC CP51M1: All versions o SIMATIC TDC CPU555: All versions o SIMATIC WinAC RTX: All versions o SIMIT Simulation Platform: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, improperly handles internal resources for TCP segments where the minimum TCP-Header length is less than defined. This could allow an attacker to create a denial-of-service condition for TCP services on affected devices by sending specially crafted TCP segments. CVE-2022-25622 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens recommends the following workarounds and mitigations users can apply to reduce risk: o SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants): Update to v6.0.10 or later version. o SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): Update to v2.0.0 or later version. o Limit access to Port 102/TCP to trusted users and systems only. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/ industrialsecurity For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert /advisories For additional information, please refer to Siemens Security Advisory SSA-446448 - PDF Version, SSA-446448 - TXT Version, or SSA-446448 - CSAF Version. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZYONLKJtyKPYoAQg/6BAAo7ldIfzhCb6YXLPxYFgsZz7kcZAVqL3Q uVUpZyGULlZCfCQyJVoWAObvBM8mmCeulWL4zQBnTEWIBrw48RyoOG/TBLtR5Sst qBRjZHx2CH9DXFvHK2tcgipvsgjtmHAKMmBO+Pek1Kiw2B28Sb9rdjoVQx5Tntg9 ZbunZ4vUcChaDOsNaXhecXza4u9aDzQVGUuutCXBSm3+jAqDAxcaCPCNTiGBpBa/ 7h64KiPpdW9TzpW/YUrmMTW+PCORlPlBIaovGS4/2RxJbTEIi+mNc9H9qJB6/7Dw YfTZPVCABCrtWQvbo0IPFTfu73gP8ietkhI3G/oyHron3Gs9O2Q3F6s2OUPxBJY2 rQ8JsSk+NW3G0h9VvtPUPZDYLrh9bFfUJhPIuKXiEk8Os4IXJesB3VPdHdFobBwU Ao8kh18ZS3bX0Re50sgnGAh0m9bBE8MyAhbl6HwyotF6AMkILZEAncjdLYFsu/2C uOTdcEHfFVEblkHJ00CyXEodZr5K+XjZBHQ+4ftp8TvHu+9f7mDPtmVF9qn9uI/v ZSOEF4tkgDjb566uhH1hE2cUqvYdW98EYLEWVnJg3ZFqdRSsKifBz0DhanLivlz6 J0mlFlCbjXXTnZmi5XCs8RYNzgCO2enwzqP5qqdqx2iAv1Tfoc0tKqMBJjWlEHmW 0H2nWeUGP2U= =YoFL -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1712 Advisory (icsa-22-104-07) Siemens Mendix 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens Mendix Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-27241 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-07 Comment: CVSS (Max): 5.3 CVE-2022-27241 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-07) Siemens Mendix Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.3 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: Mendix o Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to read sensitive data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mendix, a software platform to build mobile and web applications, are affected: o Mendix applications using Mendix 7: All versions o Mendix applications using Mendix 8: All versions o Mendix applications using Mendix 9: All versions prior to 9.11 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information. CVE-2022-27241 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens has provided the following specific workarounds and mitigations: o Mendix Applications using Mendix 7: No fix currently planned o Mendix Applications using Mendix 8: No fix currently planned o Mendix Applications using Mendix9: Update to Version 9.11 or later As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security , and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-414513 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZUeNLKJtyKPYoAQj0cA//XTHEr1ewrEE34onJH5YEqwq9J45fxyFy CPVX+etNKx8hun9vHgSnYxSBz49zFliZJwM183ozeokcrbbA/tVAcgykluVarGPA uZJtaFjx76OFttk4rWei0Pe7sNp65Ie+K8BiuPo6fymkhsLNIGJ6YY9HDtbOmGo7 tT+X37jRlcJhHyJ7VGgJOHs09c2NTnMSPy1fyjSbLRM++QIaskXzSYs7W3l9iHnu WO21jR7kPT+DIk4Zf5l+yF98+SDDx1+Bu5TQSLgF8jgdxBSEyGGE2bVUbF3nFcF4 YInpYdEG9cfWPt260gG2DKSz9PCLChHnTrUpqhbkWCSbqvpv6roJsa1SbW2SPxYF unqIvVgf47x4c7hUW3LRIOjX9eHC2v8dVdI7wVFSkeJrJtFffKn/XtZXUBIl1mww lrlFqGGCzeEPzIWDNYeUw1IWv8Br5R8YMFZdG3o6gM63lN6UuKA4bpZM0DvI12Y/ DrQ/kAAPOzbpytwyU8cS3aXzGdjDmosY6H0WvAW9fCC6x+W0IG24NfvkQrlVTNIz twUgqJuZBrdXV3WcCvSXEznpXlvs5bPVZYrvPJbQFKfWG8Xp7sUXrNZyiwodvJqe 2BsYiaaoIJIdAvxY8fdHzJOu5YUF0c/dDxcoT6KAGucU2HPnul//wCjOrwzg6Ltm qBx1IeSp9yw= =jx7q -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1711 Advisory (icsa-22-104-08) Siemens SCALANCE W1700 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SCALANCE W1700 Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-28329 CVE-2022-28328 CVE-2022-27481 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-08 Comment: CVSS (Max): 7.4 CVE-2022-27481 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-08) Siemens SCALANCE W1700 Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.4 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: SCALANCE W1700 o Vulnerabilities: Race Condition, Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause various denial-of-service conditions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SCALANCE, a wireless communication device, are affected: o SCLANCE W1788-1 M12: All versions prior to 3.0.0 o SCALANCE W1788-2 ECC M12: All versions prior to 3.0.0 o SCALANCE W1788-2 M12: All versions prior to 3.0.0 o SCALANCE W1788-2IA M12: All versions prior to 3.0.0 3.2 VULNERABILITY OVERVIEW 3.2.1 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION ('RACE CONDITION') CWE-362 The affected product does not properly handle resources of ARP requests. This could allow an attacker to cause a race condition that leads to a crash of the entire device. CVE-2022-27481 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:N/ I:N/A:H) . 3.2.2 IMPROPER INPUT VALIDATION CWE-20 The affected product does not properly handle malformed Multicast LLC frames. This could allow an attacker to trigger a denial-of-service condition. CVE-2022-28328 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:N/ I:N/A:H ). 3.2.3 IMPROPER INPUT VALIDATION CWE-20 The affected product does not properly handle malformed TCP packets received over the RemoteCapture feature. This could allow an attacker to lead to a denial-of-service condition, which only affects the port used by the RemoteCapture feature. CVE-2022-28329 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens recommends installing the following software updates to address these vulnerabilities. o Update SCALANCE W1788-1 M12 to Version 3.0.0 or later o Update SCALANCE W1788-2 EEC M12 to Version 3.0.0 or later o Update SCALANCE W1788-2 M12 to Version 3.0.0 or later o Update SCALANCE W1788-2IA M12 to Version 3.0.0 or later As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity For additional information, please refer to Siemens Security Advisory SSA-392912 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZH+NLKJtyKPYoAQjrMxAAg8yIeU/0gxsjVsbdKontLtRAhuZ1ypid xdZ9m2T3ZjAHN8WIpAlGe1oeVjnuR9paHZJbE3n4i+1ncW/Xf+QF1BXDMcnMCOPr uE/vjNmGn9dMPBFRdofUCu8Z7JE1jlYsjTfBGgLo6K797AkXdJf2yzv2QuM6ADIP TRwENSiljo+vTW8NM5Z3kUyqO4mbsQvDPB29JlGG3UjQB2Ovnkmw0pNUfHnuCQqC AxNfJpo2mx30Kanp3tyM2TLLw3Kg/u3R3WXvYErXtYAjoXmCoyJjuR7lvNOBTIh4 X+IjjzdPDIX3vuAKApmQddaVPnr+4rwuWavbnTCkpMS5rb/322hUyij2UElIYy7Q UcvirzSje488c0BZkvX9LDb/QRl40rciUUhbsDLS1Da+ZHuih69R5IGdjPsVMok+ k9uxBC7fuN+zvSKGFRkeWscWRmybiR0MxvaGgPV9Q8H4doQkM2GR6HKiuTZVSBdg r7XXT9jGhELisAY3KhuYggDZZPhrcgA0R/1AUuiGQwMeSqDAPzx8pgsGQSVvN2K5 ShLU8ZYkN2m2bc4D5m0asDd0/Q6M3cdnNmd4pgnUyBMkJd43rYRKyv85BR4ZP/e+ IFz40aDvXqaytG8BV8dZ1/qAR0aEixmzXbEAatx11s58z4tGRvNNcnQBoU68q1qN 0K+hN0cTlLM= =D5ep -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1710 Advisory (icsa-22-104-09) Siemens SCALANCE X-300 Switches 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SCALANCE X-300 Switches Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-26380 CVE-2022-26335 CVE-2022-26334 CVE-2022-25756 CVE-2022-25755 CVE-2022-25754 CVE-2022-25753 CVE-2022-25752 CVE-2022-25751 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-09 Comment: CVSS (Max): 9.6 CVE-2022-26335 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-09) Siemens SCALANCE X-300 Switches Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.6 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: SCALANCE X-300 switch family devices o Vulnerabilities: Improper Input Validation, Use of Insufficiently Random Values, Stack-based Buffer Overflow, Cross-site Request Forgery, Improper Access Control, Basic XSS, Classic Buffer Overflow, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to reboot, cause denial-of-service conditions, and impact the system by other means through buffer overflow vulnerabilities. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: o SCALANCE X302-7 EEC: All versions prior to v4.1.4 o SCALANCE X304-2FE: All versions prior to v4.1.4 o SCALANCE X306-1LD FE: All versions prior to v4.1.4 o SCALANCE X307-2 EEC: All versions prior to v4.1.4 o SCALANCE X307-3: All versions prior to v4.1.4 o SCALANCE X307-3LD: All versions prior to v4.1.4 o SCALANCE X308-2: All versions prior to v4.1.4 o SCALANCE X308-2LD: All versions prior to v4.1.4 o SCALANCE X308-2LH: All versions prior to v4.1.4 o SCALANCE X308-2LH+: All versions prior to v4.1.4 o SCALANCE X308-2M: All versions prior to v4.1.4 o SCALANCE X308-2M POE: All versions prior to v4.1.4 o SCALANCE X308-2M TS: All versions prior to v4.1.4 o SCALANCE X310: All versions prior to v4.1.4 o SCALANCE X310FE: All versions prior to v4.1.4 o SCALANCE X320-1 FE: All versions prior to v4.1.4 o SCALANCE X320-1-2LD FE: All versions prior to v4.1.4 o SCALANCE X408-2: All versions prior to v4.1.4 o SCALANCE XR324-4M EEC: All versions prior to v4.1.4 o SCALANCE XR324-4M PoE: All versions prior to v4.1.4 o SCALANCE XR324-4M PoE TS: All versions prior to v4.1.4 o SCALANCE XR324-12M: All versions prior to v4.1.4 o SCALANCE XR324-12M TS: All versions prior to v4.1.4 o SIPLUS NET SCALANCE X308-2: All versions prior to v4.1.4 o Smart Security Manager: Versions 1.5 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 Affected devices do not properly validate the HTTP headers of incoming requests. This could allow an unauthenticated remote attacker to crash affected devices. CVE-2022-25751 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:L/ I:N/A:H ). 3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330 The webserver of affected devices calculates session ids and nonces in an insecure manner. This could allow an unauthenticated remote attacker to brute-force session ids and hijack existing sessions. CVE-2022-25752 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/C:H/ I:H/A:H ). 3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121 The handling of arguments such as IP addresses in the CLI of affected devices is prone to buffer overflows. This could allow an authenticated remote attacker to execute arbitrary code on the device. CVE-2022-25753 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:H/PR:L/UI:N/S:U/C:H/ I:H/A:H ). 3.2.4 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 The integrated web server of the affected device could allow remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. CVE-2022-25754 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/ I:H/A:H ). 3.2.5 IMPROPER ACCESS CONTROL CWE-284 The webserver of an affected device is missing specific security headers. This could allow a remote attacker to extract confidential session information under certain circumstances. CVE-2022-25755 has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/ I:N/A:N ). 3.2.6 IMPROPER NEUTRALIZATION OF SCRIPT-RELATED HTML TAGS IN A WEB PAGE (BASIC XSS) CWE-80 The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. This can be used by an attacker to trigger a malicious request on the affected device. CVE-2022-25756 has been assigned to this vulnerability. A CVSS v3 base score of 7.9 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:C/C:H/ I:H/A:H ). 3.2.7 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120 Affected devices do not properly validate the GET parameter XNo of incoming HTTP requests. This could allow an unauthenticated remote attacker to crash affected devices. CVE-2022-26334 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:L/UI:N/S:C/C:L/ I:L/A:H ). 3.2.8 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120 Affected devices do not properly validate the URI of incoming HTTP GET requests. This could allow an unauthenticated remote attacker to crash affected devices. CVE-2022-26335 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:H/ I:H/A:H ). 3.2.9 OUT-OF-BOUNDS READ CWE-125 Affected devices do not properly validate if a certain SNMP key exists. An attacker could use this to trigger a reboot of an affected device by requesting specific SNMP information from the device. CVE-2022-26380 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:C/C:N/ I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Michael Messner and Abian Blome of Siemens Energy coordinated the disclosure of CVE-2022-25751 and CVE-2022-25756 to CISA. 4. MITIGATIONS Siemens recommends upgrading all X-300 switch family devices to v4.1.4 or later. Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: o Restrict access to the affected systems, especially to Ports 22/TCP, 161/ UDP, and 443/TCP and use trusted IP addresses only. o Disable SNMP service, if possible. o Deactivate the webserver if not required, and if deactivation is supported by the product. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the Siemens operational guidelines for industrial security and follow the recommendations in the product manuals. For additional information, please refer to Siemens Security Advisory SSA-836527 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZEeNLKJtyKPYoAQh2CQ/+IlzooB7Vzsv5/2K10N/7KrGrDTxzt/hc JLYvLANGfc0bIPQnD+9yUPiQLrTRV79TkPxG5vfZvHajqHv+eyfVsTOhUDL2P1SW bWKbNrF1QpVUI+RZJm2QPnlhy7GTeEJQkcbxQRpC0tTdmfs19B1EBN0gtmAGWVV9 6rW1U2aES7fRvK5XEK5ZWZeT8WsZ3TMkqUaSCVM7dUuUlWWbUyISW+1oRv1p+aGQ xq6sIXgPrsJFPcqj70fAUJWse2uK4U9j4qkg/ePMvWDBMchshySO1nJlI/XvMnai rWCy+T7Z9B43mvPXCaYogErekR9G91muU0WsT7kfgX3A53ewUQHzJA+DqZX0YN0B iQ/HwZoxo+qblUXNr/uQBaH/4Xt9UzQGuCZj0PrfwOhxV+i2BwOCA5+j2qcGtGx5 n+dj5zjExOLnQaO9TxHp6z2ShydYq1z9VK4IB0i508gnZ23QybAoDWc2A311frwN KSUpWJ++uTDKLbqAAP8exkakbL+eTuA3RXJNHRL1AZtUoPhtXREEWspm08Kk0sKj SjR+sTvzht31kWz+RgXs1PP02lo/8P3X/24X6wr5bcKVqfjXk3m3DUW9V4lTjBv/ xkbkpq9TRZRvynjB7KrJpmN8lxWy9TbUDArtcrBYLIhU2BLLJsPhjqZN/r4UD5ue 4c2od5dmtLE= =CVa2 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1709 Advisory (icsa-22-104-10) Siemens SICAM A8000 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens SICAM A8000 Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-27480 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-104-10 Comment: CVSS (Max): 5.3 CVE-2022-27480 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-104-10) Siemens SICAM A8000 Original release date: April 14, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.3 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Siemens o Equipment: SICAM A8000 o Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access files without authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: o SICAM A8000 CP-8031: All versions prior to v4.80 o SICAM A8000 CP-8050: All versions prior to v4.80 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 Affected devices do not require a user to be authenticated to access certain files. This could allow an unauthenticated attacker to download these files. CVE-2022-27480 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Steffen Robertz, Gerhard Hechenberger, and Thomas Weber of SEC Consult Vulnerability Lab reported this vulnerability to Siemens. 4. MITIGATIONS Siemens recommends updating the SICAM A8000 devices to v4.80 or later. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the Siemens operational guidelines for industrial security and follow the recommendations in the product manuals. For additional information, please refer to Siemens Security Advisory SSA-316850 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+ZAONLKJtyKPYoAQhBPw//cucynoB+pdtMffNiPJxPY4fbPUEFViZz hMrttl/yHj+qWtzoHYort/nUWRlEjIemrFf0EOLyDavKeEJa1yu3CplVKfy10yGg A8ugw0meWJSD/Sju6Inri4z+v16euxck/nO9GYBmMbQgEKHGKL7e+1RrG5xSJ6xt GiOite1pl09ifWi81GY+wQ6A7coGcmqO+llbyk/TpEnsnUAZICdOTgnWJOeP6OO7 d7XS6H33W1mPBBKwdW6K0cR1ZdC3S5OBXZNau05ugHt5Dv3RdXrj/iR3dU5Sq1DD b0/D/gvAJmvQcchlpi9FPIDqKYhka3pcvaDopWxX0VM+LCWsB9d0qKFTx+E8L/X7 I4YdtkE3mj4TZQiaYKOK0q6UjZMqsxD85MEci/Lw6LmTIKO6P1yiFVm6Md+NE2/Y sTkeV1I7l6rdxYLvb21VjEVTYlqB83VW2FdwmI85HMIX//9k+cWcupdJi7LpRZ10 Y30TSKXwU6qCgWUoj1TYpAOS3zFRZPMC4CVQcaei2NQ+FS0oMRkqdVkOuuozCHLD HIk17z6ePlXJTjDucOSN24Z5g2ayH1DI9vsQaoR3dGlK3fYGXFkpcdfQq3uvBgtb BcLCmU7A0x0Z8GBFU9LHmFEKyoIjy+0K1/59DOABP2BGWq2jkE1cQTjj3D0uKoF9 szO2CtCcVIU= =8atC -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1708 Advisory (icsa-22-109-01) Interlogix Hills ComNav 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Interlogix Hills ComNav Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-26519 CVE-2022-1318 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-109-01 Comment: CVSS (Max): 6.2 CVE-2022-1318 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-109-01) Interlogix Hills ComNav Original release date: April 19, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.2 o ATTENTION: Low attack complexity o Vendor: Interlogix is a part of Carrier Global Corporation o Equipment: Hills ComNav o Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Inadequate Encryption Strength 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to log in to modify the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Carrier reports these vulnerabilities affect the following Hills ComNav remote access integration modules: o Hills ComNav: versions prior to 3002-19 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials. CVE-2022-26519 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/ C:H/I:N/A:N ). 3.2.2 INADEQUATE ENCRYPTION STRENGTH CWE-326 Hills ComNav Version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets is predictable. These issues could allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic was encrypted (e.g., using WPA2, as the packet sizes would remain observable). CVE-2022-1318 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:U/ C:H/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities o COUNTRIES/AREAS DEPLOYED: Australia o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Jacob Thompson of Flinders University, Dr. Paul Gardner-Stephen of Flinders University and DEWC Systems, and Dr. Samuel Chenoweth of Defence Science and Technology Group reported these vulnerabilities to Carrier. 4. MITIGATIONS Carrier recommends users upgrade to Version 4000-12 or later, which is the latest supported version at the time of this publication. Please contact the Hills distributor to acquire the firmware update. More information on this issue can be found in Carrier product security advisory CARR-PSA-002-1121 . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+Y9eNLKJtyKPYoAQjjpg//eC66A901tunUWtRgzGXNgCQouP1Iiw0o 9y/QvvZIfsNM73znD+41zWdxPsfnHt+ntF3NMbD09GoA8alm9DhGE8+uR1vQZ99G SbgdKmT1dmJjYPtVD3vsDUNDxi4YZd6FTI2kfWtLuJDHzAYPQ00OIOkProEPJ0Kj ZvTjm0/naOCIj3IL+ES86DUg4mrfDoKQHeho7KjW09+nGz+bMTys3hjvuI46eiLa oF3efTKW2MuP/sn1SHNCqcqYkr+CqPE0mxnbZ6YTfb0CRjl/BBSuQWycqdqEoVJn IN0BtvsadT3hdwbNU4eYHY1z9F6FQ/U562yRyEq2sadwToihfXZT+S9u2sFkVhtJ gcHR9xzXdpbO8kK/UWp+eVWj1s4sUcdU03VynLlMeatQCIgbYcdJunX+Sgc94k5l dD/UvurECue6l+/CfHPlHIRbIYUHC8RPlLBA3XjnLw0/lijWMesgNaS6wwKxZNN4 tU7oKVX5cuwnDBga6mB5dJmWp9Pc181dy3qb5B+CYBqDzOgNnqaAhV/QdrddSrkr goIGW4bzlt7hk6HWIgVrQWZfe71O6tvljdUaQ9BRBLihgTDHB45zaNpJLfVB8G46 /1YwqWaEDlohmAGr5WFKPlpzQ8cdBV2AC3JImueM4XqRPGAT5h5k4Zd2ZqMizAQu HzD3ndNB9Y4= =ubjt -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1707 Automated Logic WebCTRL 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Automated Logic WebCTRL Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-1019 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-109-02 Comment: CVSS (Max): 5.2 CVE-2022-1019 (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-109-02) Automated Logic WebCTRL Original release date: April 19, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 5.2 o ATTENTION: Low attack complexity/exploitable remotely o Vendor: Automated Logic is a part of Carrier Global Corporation o Equipment: WebCtrl Server o Vulnerability: Open Redirect 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to redirect the user to a malicious webpage or to download a malicious file. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Carrier reports this vulnerability affects the following Automated Logic WebCtrl Server building automation software products: o WebCtrl Server: All versions up to 7.0 3.2 VULNERABILITY OVERVIEW 3.2.1 OPEN REDIRECT CWE-601 WebCtrl Version 6.1 "Help" index pages are vulnerable to open redirection. If a user visits a maliciously crafted URL, this vulnerability could allow an attacker to redirect a user to a malicious webpage or download a malicious file. CVE-2022-1019 has been assigned to this vulnerability. A CVSS v3 base score of 5.2 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:C/ C:L/I:L/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Chizuru Toyama of TXOne IoT/ICS Security Research Labs, working with Trend Micro's Zero Day Initiative, reported this vulnerability to CISA. 4. MITIGATIONS Carrier recommends users contact an Automated Logic dealer for instructions to download the latest version of WebCTRL. Carrier also recommends the following manual workaround: o An administrator can add the CSP header/meta tag to each "index.htm" file in each of the directories under "/webroot/_common/lvl5/help/ *" o Example would read: Please see Carrier product security advisory CARR-PSA-001-1121 for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should take the following measures to protect themselves from social engineering attacks: o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+Y5ONLKJtyKPYoAQhglA//VnuVyLaoAE8S1fuFYU1ZV/JgwZD0/nby xY0FsReY4Ah4Zyi9jtD+csN3G1uwLuK6I81hJeb5YbZkSqSNo1BgdSTXFzlhrqlx 2Yjysh/ryeEGvZ7CVr868gcOzRRIdOLTXsybQJvxbpETll3kW60ClgCu6NA5VBZd /TwvLs9f0Fex+Wg81Dp3THldC6AZniTnGH4/+iMtPvNjNmLYGdPPQsWKhG1tpvit Ili/4CzKUS4qw77mSVxHRSPkxyoIpTYpMny2+aywrDxczrpAgxwZ4UBOwUa7GeKC y+DtgMC+VIEfAnO6szciLCz4Orrlk/96XXPkTGxznPjDtFC35wFn6nvAhyuQHn8U sx6+WTiBkMPbTG1Bb9g4Lj2I0OhrAOXmd3tpRKNhzZfwXtk5ONr4YZA8OpFxz5qV M1IvUJL3ROmaTOZa0FkfjQ7YU6Yb+poDds3YiDq0x5SHJm/5ScFufrCOWglcQu9U dE3YWx4GlEabCR/79Iiq70IVU7lwfR7Jw7t2+SIdV2XIK8KHc9iqk9TZj4g0ceUU Uq4tLdqKEs+g6WBFj0vK1xBHHYE7YDhU6VfTR1MHxoMK01O+VpjIEhrGeLQhVDQW DJzs9DhVKy7Ok+ATRGXcLumXZnIzf1Pmxm+HQw8bfe3MkREzGAunMRf++z5G5Mbu SuX2anHiKAw= =v/Ok -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1706 Advisory (icsa-22-109-03) FANUC ROBOGUIDE Simulation Platform 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FANUC ROBOGUIDE Simulation Platform Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-43990 CVE-2021-43988 CVE-2021-43986 CVE-2021-43933 CVE-2021-38483 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-109-03 Comment: CVSS (Max): 6.1 CVE-2021-43988 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-109-03) FANUC ROBOGUIDE Simulation Platform Original release date: April 19, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.1 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: FANUC Corporation / FANUC America Corporation o Equipment: ROBOGUIDE o Vulnerabilities: Incorrect Permission Assignment for Critical Resource, Improper Access Control, Path Traversal, Improper Restriction of XML External Entity Reference, Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow for remote code execution, or provide unauthorized privilege escalation. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ROBOGUIDE, a simulation platform software suite for FANUC Robots, are affected: o ROBOGUIDE v9.40083.00.05 (Rev T) and earlier Note: This offline simulation software program does not provide any control or management of physical devices or processes. It is included because it is used in Industrial Control Systems (ICS). 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732 The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation. CVE-2021-38483 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:L/UI:R/S:U/ C:N/I:H/A:H ). 3.2.2 IMPROPER ACCESS CONTROL CWE-284 The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation. CVE-2021-43986 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been calculated; the CVSS vector string is ( AV:L/AC:H/PR:L/UI:R/S:U/ C:N/I:H/A:H ). 3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE 22 The affected product is vulnerable to a network-based attack by threat actors utilizing crafted naming conventions of files to gain unauthorized access rights. CVE-2021-43988 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/ C:N/I:N/A:H ). 3.2.4 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call. CVE-2021-43990 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/ C:N/I:N/A:H ). 3.2.5 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 The affected product is vulnerable to a network-based attack by threat actors sending unimpeded requests to the receiving server, which could cause a denial-of-service condition due to lack of heap memory resources. CVE-2021-43933 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan, United States 3.4 RESEARCHER Sharon Brizinov with Claroty reported these vulnerabilities to CISA. 4. MITIGATIONS FANUC has created a new version to address these vulnerabilities. Users may obtain and install the new version by downloading ROBOGUIDE v9 Rev U or higher from the FANUC or FANUC America website (login required). CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+Y2eNLKJtyKPYoAQiRSg//aDxOHcqzh8PqQShumsv4rp5+/YZZeQbF owfS53zIJkxY3H5vrU89pf3zSeclZyJdTBl8ALIaxctADNqdryxPBohV93E0h+Yu ZmyLXiEVS8ga7MrUqysGzCNweAOODQruGb4F8NRwkpTeVodjM9FbsPp8EeEgpdhM 1bswv+iIbGylyzSJS5xx5nBq14GDhajSwJ/Y33KQfearnHWruxYranGEZvhcamE/ IlPPDo6i9Sk+sDt9lcf16yBCiw736hAEhKBfxcXypTpYW2FX1prXicxN/cM4VS/v KZPYq5Ol29QyHJTSqcAlwR6Ye8ohh6g6ax8Tp3nyuwiNaoxo5veNiIItOFB6EZeG PFoR5d13DGLx5yO2HPIzdLNukp8bi5wGVOhFpGlw/oRCpix6VE+8wj/HfLcRxvqT cGeYuObKlvMNax0z/MEqet958g9eKmGadLHQ+I6Mb3G9Aib2BDSY2j85WWwbJZ1X O6A+vSAkmPAzTgYuj+Imvd5SkKhCUBJQ+oJ9mV9tM3zQhE9hIfn4yUVFF+Ys6dRD +RPRGemIp7yTVTor0SMajxyyVMfyef6G8jYfg03I9bIPjDk9zcWAIGhrN9w0/OJ8 NVxDttS5NNXjQ9wiqeao8uwDsAP8nKZPi7x9kcOdkEAc397oxJLHjYEe+jHuGVLY Q+wkZCsbc10= =dRck -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1705 Advisory (icsa-22-109-04) Elcomplus SmartPPT SCADA 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Elcomplus SmartPPT SCADA Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-43939 CVE-2021-43934 CVE-2021-43932 CVE-2021-43930 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04 Comment: CVSS (Max): 9.8 CVE-2021-43934 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-109-04) Elcomplus SmartPPT SCADA Original release date: April 19, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION : Exploitable remotely/low attack complexity o Vendor: Elcomplus o Equipment: SmartPPT o Vulnerabilities: Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Authorization, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could provide attackers a way to traverse the file system to access files or directories that are outside of the restricted directory; allow the upload or transfer files of dangerous types that can be automatically processed within the product's environment; allow an unauthorized access to an action or a resource; or allow a user to store dangerous data in a trusted database. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of SmartPPT SCADA, an integrated voice and data dispatch software, is affected: o SmartPPT SCADA v1.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 An attacker can inject JavaScript code into a specific parameter that can executed upon accessing the dashboard or the main page. CVE-2021-43932 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:C/ C:H/I:H/A:H ). 3.2.2 IMPROPER AUTHORIZATION CWE-285 A low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints. CVE-2021-43939 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:C/ C:H/I:H/A:H ). 3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 The backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files. CVE-2021-43934 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 The backup and restore system does not adequately validate download requests, enabling malicious users to perform path traversal attacks and potentially download arbitrary files from the system. CVE-2021-43930 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/ C:H/I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Communications o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Russia 3.4 RESEARCHER Michael Heinzl reported these vulnerabilities to CISA. 4. MITIGATIONS Elcomplus has released an update to fix these vulnerabilities and recommends users upgrade to Version 2.3.4 or later . For more information, please contact Elcomplus support . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+YzeNLKJtyKPYoAQhSWg//YPvfdyCIsEMYHSftHSFQ5zNzXlT4pU8P Qe7G3njSRBO0eqGuK5T/1FIGVqisWVnI0AXOI3T7ikk/ZpxpQzUkJ15JF4MMDNnU UAUT4JzoB7/ILd9DtyhPCnqGQ2lUoeScIc96O/HhuMMP1e6ilfVix6TmZnxYEHMe Tf06+3WE8t82SQq9DUDrr5oPWgTwkho2xGY764qDaB2fZTex/JMP9PbFFsQIVcsP SFIsV1Nyo20MAA8Uc6nQ0pVcmaiUa+y2jdymR6T1mCF4WFDqtCHsrMM+aGQ08B4x oS4pB+x256Tp8G4bG+V2fbWPRXl6SKqui2lLWC6gfwTmqBrtCJG0z9iEvH2ZOLng 7aUFzzCnPgrFoKgm43mlyiEa4xpwFgkJ793J/WpqLiI4DfScXiQr/b6Kkpaslzkh Vqnk9nyUZR7AH1PgFDscQH9eMheZsDBPuKf1VLFmwjfxznrYdibQ/ioILaExiA30 gVsJHreX9qKRaD7UnhS8RpFHo0NzHo4ATT4VjT5LF5hV9DGQp/SIsbUD48nm88oK pg1fOO/Z3bSl0r+wragBTqssYsB+DN9XYKvx5cNjzgJQZt6e7VvwIeeQ1t/o4vz9 jnzb39NTj7mXNCm3rDFRilcXokjDGHQoCHKzoxYuRok2W5ufvWVWPYH/0/ISRBLy DEE0Hk8DM/o= =TwhE -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1704 Advisory (icsa-22-109-05) Elcomplus SmartPPT SCADA Server 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Elcomplus SmartPPT SCADA Server Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-43938 CVE-2021-43937 CVE-2021-43934 CVE-2021-43932 CVE-2021-43930 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05 Comment: CVSS (Max): 9.8 CVE-2021-43932 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-109-05) Elcomplus SmartPPT SCADA Server Original release date: April 19, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Elcomplus o Equipment: SmartPPT SCADA Server o Vulnerabilities: Cross-site Scripting, Unauthorized Exposure to Sensitive Information, Unrestricted Upload of File with Dangerous Type, Path Traversal, Cross-site Request Forgery 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthorized user to store dangerous data in a trusted database; potentially exposing sensitive information; allow malicious users to upload arbitrary files; provide attackers a way to traverse the file system to access files or directories that are outside of the restricted directory; or result in exposure of data or unintended code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of SmartPPT SCADA Server, an integrated voice and data dispatch software, is affected: o SmartPPT SCADA Server v1.4 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE SCRIPTING CWE-79 An authenticated attacker can inject arbitrary JavaScript into critical parameters. CVE-2021-43932 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.2 INFORMATION EXPOSURE CWE-200 An unauthenticated user can request various files from the server without any authentication or authorization. CVE-2021-43938 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 The server has a feature that allows the upload of application updates; however, validation is not required, which enables malicious users to upload arbitrary files. CVE-2021-43934 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.4 PATH TRAVERSAL CWE-35 The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize dot slash sequences that can resolve to a location that is outside of that directory. CVE-2021-43930 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.5 CROSS-SITE REQUEST FORGERY CWE-352 The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. CVE-2021-43937 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/ C:H/I:L/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Communications o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Russia 3.4 RESEARCHER Michael Heinzl reported these vulnerabilities to CISA. 4. MITIGATIONS Elcomplus has released an update to fix these vulnerabilities and recommends users upgrade to Version 2.3.4 or later . For more information, please contact Elcomplus support . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+YwONLKJtyKPYoAQh1BA//XQBDq1R9pnooS4MfSXEIgPebU3VbhJ7C iVdV8w2iwjHIQBNzLyk+nXNSrJGlPsTyR2gf+C/5Z4w2j7ZxtD7GvuOHUjo5at8F aMmINm3ecyucjATQiPdDnHQPfTK/wDoVz6ZX5En9rkLs6e4cDKfmNmgupZg+7nEG 2TwqVfxp/EURVWDuPSHnMUA53k9h8xkthyOpoC8cBRBZMpAihEfKvL+EumCXuerj ykKZsCKarPcjJJ0O500KXnQAZTcJ61i3Uyq+YCJBtLrpwsNMU/enlXkI6/HIe7DK zuajQVtxrp2qTQ4GX10/XKgO/dVAPRPv+8qvgdc0aG0X8wwqOvkGwQkVwUKjSqA1 TXLhtmNZcl3FgAw1u9aiA6RcEXyLhrGRCANBoQl0Q1akZlizB2mp5d8RhgrDibj9 uQ2eprgmv6x06roPZm/8Z6kD6HSVUqCpwpdsZgH4lyBB3MPvCFKHyGxDPcmQRy0v dgci9lwfkv9sKnQrKWYh33H306KdnHLvajcYPuw2HyilPhyqgZbHpqQBo7I+bhvy DAPE+8NSIkcskl9P0uUUw3JUrKXDxxNSeMrEkAapo64kdVvHmRJOBqfIPrggr3yJ SDgfA++/hiVtAw4I9nIoj2eNvamSdu2hneOwqIzzPazpXpHb0EedpwBU7rHTFNqt U8wmiQZS7VE= =EOWx -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0098 Oracle iLearning Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle iLearning Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-23437 Comment: CVSS (Max): 6.5 CVE-2022-23437 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle iLearning, versions 6.2, 6.3 [1] IMPACT The vendor has provided the following information regarding the vulnerability: "This Critical Patch Update contains 1 new security patch for Oracle iLearning. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2022-23437 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Supported versions that are affected are 6.2 and 6.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iLearning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle iLearning. Affects: o Oracle iLearning 6.2, 6.3 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+T3uNLKJtyKPYoAQhp9A//VC09v6ubMZYFgLvbMLr42MoGKE4IoNw2 M//5y5Cd23PgMiicVl0uZqvOB6f9/7Ytce1zwwuCR/6Dyio+DsOjTx9IYISufrMK ftJ72iyQ1/seWM6tWZvIRU3Ml+LWv1wWzxXyZajg6gquyKgTbXD0eYgU8J8oGYmV oAZ+FzBbQmkKZ40KRM7QFM8YJ9xQl//9E585JGcXoWAcW+6mVIaE28zpPlXl537d bQ2bfulxNNLRcy5NNDPJsKj2Rk8T0wEjZG46Y+Xi6z6QqqA2FnOGAjPd4O7Q9rKJ kWygz8vcDTsrwdWP8FhAPN6ROVHq5xQT6W7Aj/vdJSm4IGV+1GuLdlBeuUCLQRuN AjEMsiZ7jGAmVlcMNlAKJcy3kPmk9Hz9rLg6YmBf0o0SynKP7dLIBLDXup9DFUvi 48BoytTfGC8dN9wwveb+xLB11j1oDUWrxhIOMGm8XlN3UqxOarK+XdQ0sW6IjIVW Y3cQXRFLnMoIPRY+4kxc7oRLN9wASJSQCT/DNYp2vrjJAse75J5YfQfMgQq7DRqa KqTQiCL5TKEczKptQdLQ1/tln7YE5+nTWJ+2q4l8/spyXasoZxZZJ8bAEJq3aDNW Joeg0PYJdxbHBQDrUUf+FBNTnMumGwAaFthBwBs1CRzBZPFJwnznLh2uLtuWhifC JpfbIMMiekY= =eLMn -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0097 Oracle Hyperion Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Hyperion BI+ Oracle Hyperion Calculation Manager Oracle Hyperion Data Relationship Management Oracle Hyperion Financial Management Oracle Hyperion Infrastructure Technology Oracle Hyperion Planning Oracle Hyperion Profitability and Cost Management Oracle Hyperion Tax Provision Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-23305 CVE-2021-44832 CVE-2021-31812 CVE-2020-7760 CVE-2020-6950 Comment: CVSS (Max): 9.8 CVE-2022-23305 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Hyperion BI+, versions prior to 11.2.8.0 o Oracle Hyperion Calculation Manager, versions prior to 11.2.8.0 o Oracle Hyperion Data Relationship Management, versions prior to 11.2.8.0, prior to 11.2.9.0 o Oracle Hyperion Financial Management, versions prior to 11.2.8.0 o Oracle Hyperion Infrastructure Technology, versions prior to 11.2.8.0 o Oracle Hyperion Planning, versions prior to 11.2.8.0 o Oracle Hyperion Profitability and Cost Management, versions prior to 11.2.8.0 o Oracle Hyperion Tax Provision, versions prior to 11.2.8.0 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 12 new security patches for Oracle Hyperion. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2022-23305 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is Prior to 11.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Data Relationship Management. Successful attacks of this vulnerability can result in takeover of Oracle Hyperion Data Relationship Management. Affects: o Oracle Hyperion Data Relationship Management Prior to 11.2.8.0 o Oracle Hyperion Infrastructure Technology Prior to 11.2.8.0 CVE-2021-44832 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is Prior to 11.2.8.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion BI+. Successful attacks of this vulnerability can result in takeover of Oracle Hyperion BI+. Affects: o Oracle Hyperion BI+ Prior to 11.2.8.0 o Oracle Hyperion Data Relationship Management Prior to 11.2.8.0 o Oracle Hyperion Financial Management Prior to 11.2.8.0 o Oracle Hyperion Infrastructure Technology Prior to 11.2.8.0 o Oracle Hyperion Planning Prior to 11.2.8.0 o Oracle Hyperion Profitability and Cost Management Prior to 11.2.8.0 o Oracle Hyperion Tax Provision Prior to 11.2.8.0 CVE-2020-6950 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N The supported version that is affected is Prior to 11.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Calculation Manager. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Calculation Manager accessible data. Affects: o Oracle Hyperion Calculation Manager Prior to 11.2.8.0 CVE-2021-31812 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H The supported version that is affected is Prior to 11.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Hyperion Infrastructure Technology executes to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hyperion Infrastructure Technology. Affects: o Oracle Hyperion Infrastructure Technology Prior to 11.2.8.0 CVE-2020-7760 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L The supported version that is affected is Prior to 11.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Data Relationship Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Data Relationship Management. Affects: o Oracle Hyperion Data Relationship Management Prior to 11.2.9.0 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+IZ+NLKJtyKPYoAQi+IA//fVivENZYzYngvZodZZDDxN/2+13XYqdx BCjf2/EZMR8iAoUrvzeFxHv9l5RMtKCm82IriU7+niRJJRj0p47ZZDw2f8+IS/BO K+sPKUgOAhi4lSZA0RbA4n14u/vql4tuGIOdXog7HxfNBQv8B1SB9AplIA+UuqdY Mw0VNNWHR2c5z/+ehCI/1XknHmqwJ33OQ31uN+p9LQisfxoSXfyV10RT8vFjN9lf uIST45DPO0AU7557Rd3EGJC3F84FQ9hp8QTnqd5WqSEUmPcZR48fIU5YA8GYm5i0 vYcjS16rbxDRkXkevSk4nNopd2c5hV4dSBvqpt59tgiTuJuPUxbhb18q+TMtrQrQ ZmHJ/1JJ/Si0+fV6rhQf+fj4POXPRkw9znQFfzPg+xXbhzwnjtVAUxIwQLCTOFvf sZIsdTSPdV4yqDwQa6TMrbuRBpOPGEjc55nH22+Wof1EefFW9WMHtoL61qHpwFw1 qeucn4AHLGwHHdPDWAKckotcpz6nEnEorPE2tGy1k4KouNBK1UnPNFmCVlEmkkwP ZAoqz4Qbj2YfiP1VrIlcm+TeWT8tbl0f3sYKcOXocxSG8abg7lSPu6RivpaVhBOI Bvhh312f8xeuSjxMbna4DvcNqpcXOfTMV0boqDzydWx3dpjUJkjwuOpH2rmGy+ph Xio9g8lbzTI= =wQh0 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0096 Oracle Hospitality Applications Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Hospitality Suite8 Oracle Hospitality Token Proxy Service Oracle Payment Interface Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2021-44832 CVE-2021-41184 CVE-2021-37714 CVE-2020-13936 Comment: CVSS (Max): 8.8 CVE-2020-13936 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Hospitality Suite8, versions 8.10.2, 8.11.0-8.14.0 o Oracle Hospitality Token Proxy Service, version 19.2 o Oracle Payment Interface, versions 19.1, 20.3 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 6 new security patches for Oracle Hospitality Applications. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2020-13936 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H The supported version that is affected is 19.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Token Proxy Service. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Token Proxy Service. Affects: o Oracle Hospitality Token Proxy Service 19.2 CVE-2021-37714 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The supported version that is affected is 19.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Token Proxy Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Token Proxy Service. Affects: o Oracle Hospitality Token Proxy Service 19.2 CVE-2021-44832 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 8.13.0 and 8.14.0. Difficult to exploit vulnerability allows high privileged attacker with network access via TCP to compromise Oracle Hospitality Suite8. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Suite8. Affects: o Oracle Hospitality Suite8 8.13.0, 8.14.0 o Oracle Hospitality Token Proxy Service 19.2 o Oracle Payment Interface 19.1, 20.3 CVE-2021-41184 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Supported versions that are affected are 8.10.2 and 8.11.0-8.14.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Suite8. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality Suite8, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality Suite8 accessible data as well as unauthorized read access to a subset of Oracle Hospitality Suite8 accessible data. Affects: o Oracle Hospitality Suite8 8.10.2, 8.11.0-8.14.0 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+IVONLKJtyKPYoAQg83BAAnRZsOqXBb49fbivAOYp9ruViKAzE0wHR OF+aCIneWjTtf8p4oJGl146LCO9bHWjyrosWMlQ0a6KekI3Xs/pBguEVe10Q2D8r q+3hfwYirWlBmprLHwR6AwUYOObzL4/MqfFein4rxFNwtacPSAf+3T7Z5NBVKQ7t 7hWkHeFtT9o0wRZp87YVDtnOIZ3v90n2udulkJ48WEa1/PtUaE1bWAflk66VmvjC HpuNiqPmM5YqncyLSnbSwmIW7LkE/VVq2v8AQCzNHrxcQ6GnaFVr2+zESeVRM1hh rG5VedDfsdfErr1LWFnmjI6iANJnY/JMNuhfonX77ahRnjC6x6glz+pcNLk8BslK K4tZVrka3KtxJ/RmMuvr7caVseW+Gkpjw3KydDfgsy/9Iqd8wl4JKr66sIcjCHlG xTBHH1NDXyPrrASBCexZe8NjB3ukhZAESXExEdB4ozS5Zo9rJotQD6G309ME8BNR kMkYPlmnGxi6O5OjMfIAw1SF435bRtO27xd3QsOvaCeqFEVoSH9CcKCiw5tpeWcT zp5e8YR6Ps9HHBbF/FvKQzwmkgB2mUMlYaG6VJlwCFgJWGn7vF/YL7r8XDHi4MNN unReBiucX5nSkKF0tFnP+o0JIFOMRYvLAnyVqDzEAqxQqjqiIH5VYwpVR6qQ8bPK g29nipq0dmA= =Sx9q -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0095 Oracle Health Sciences Applications Critical Patch Update 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Health Sciences Empirica Signal Oracle Health Sciences InForm Oracle Health Sciences InForm Publisher Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2021-44832 CVE-2021-3711 Comment: CVSS (Max): 9.8 CVE-2021-3711 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OVERVIEW Multiple vulnerabilities have been identified in : o Oracle Health Sciences Empirica Signal, versions 9.1.0.6, 9.2.0.0 o Oracle Health Sciences InForm, versions 6.2.1.1, 6.3.2.1, 7.0.0.0 o Oracle Health Sciences InForm Publisher, versions 6.2.1.1, 6.3.1.1 [1] IMPACT The vendor has provided the following information regarding the vulnerabilities: "This Critical Patch Update contains 3 new security patches for Oracle Health Sciences Applications. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials." [1] CVE-2021-3711 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 6.2.1.1 and 6.3.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Health Sciences InForm Publisher. Successful attacks of this vulnerability can result in takeover of Oracle Health Sciences InForm Publisher. Affects: o Oracle Health Sciences InForm Publisher 6.2.1.1, 6.3.1.1 CVE-2021-44832 6.6 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Supported versions that are affected are 9.1.0.6 and 9.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Health Sciences Empirica Signal. Successful attacks of this vulnerability can result in takeover of Oracle Health Sciences Empirica Signal. Affects: o Oracle Health Sciences Empirica Signal 9.1.0.6, 9.2.0.0 o Oracle Health Sciences InForm 6.2.1.1, 6.3.2.1, 7.0.0.0 MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html [2] Text Form of Oracle Critical Patch Update - April 2022 Risk Matrices https://www.oracle.com/security-alerts/cpuapr2022verbose.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+EouNLKJtyKPYoAQjedQ/9EJKUUlwtEDNAje2K2yNIr/MiVe1+2vgV 3LiyHabFj0Py07tOaSp6ill3N88cq9XcehQFD41p/udIVZsD2XBp0HHfNnICysG5 Z0tEbKiU7LVMYkiL3H0n8FpbFfBX0E7o0Sedp5g7uj8abzG/PxjI1rNRCWPePUdC nC8jfQp7xH16aeNHR5JRTJulXPPGTWnXd3JUZknmKfAYvYZ6ylfsDMtuGGj5Zd4n LZMT7fnMI7omImV6YYWYYDgwStfOkjMSvAs66QbDLmeAcgjae9vvUTHK7wcSELWc pPlz//0RpSwRSSIGlSbdJKHTD38PotXF7Gu3HIGGsLPKTw25a8m/wPHsTp34lXlO kUZSUKFTwRiXR41t6eAWsEOY5BAOnhsiTZCz4mb6iENv3oTSAwp1bNBeY+5wvlAN E6BrBa7iwnFyQATehWmSISd91QaQanzh5fSwONK6w/uQExOmolqA0Fm+mAiFbQVF RZIj+YV+GI6rjkWm80fcdLQON4EHVNhdJBoiD7w9K5pJ7JJVIH4BIG/KGNvCqQy9 /k6vWkLzZ9FqqOfHhmJNkwTdh7elsi2ZB2p7vlLfm/8LNIgg7ASfLSjdgzI66NHM LFpQMwnYStyib/Yq996hejrE18BVmV2GG5j6liQAslu6UF0UDPrhE1RC6FFjR6hb Amk30zmG/XY= =Z5ud -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1703 Security update for SDL2 20 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SDL2 Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2021-33657 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221218-1 Comment: CVSS (Max): 7.8 CVE-2021-33657 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SDL2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1218-1 Rating: important References: #1198001 Cross-References: CVE-2021-33657 Affected Products: SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for SDL2 fixes the following issues: o CVE-2021-33657: Fix a buffer overflow when parsing a crafted BMP image (bsc #1198001). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1218=1 o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1218=1 o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1218=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1218=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1218=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1218=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1218=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1218=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1218=1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-1218= 1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1218= 1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP4: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-1218=1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-1218=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1218=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1218=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1218=1 Package List: o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o openSUSE Leap 15.4 (x86_64): libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1 libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-32bit-2.0.8-150200.11.6.1 o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o openSUSE Leap 15.3 (x86_64): libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1 libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-32bit-2.0.8-150200.11.6.1 o SUSE Manager Server 4.1 (ppc64le s390x x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Manager Retail Branch Server 4.1 (x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Manager Proxy 4.1 (x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1 libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-32bit-2.0.8-150200.11.6.1 libSDL2-2_0-0-32bit-debuginfo-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64 ppc64le s390x x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 o SUSE Enterprise Storage 7 (aarch64 x86_64): SDL2-debugsource-2.0.8-150200.11.6.1 libSDL2-2_0-0-2.0.8-150200.11.6.1 libSDL2-2_0-0-debuginfo-2.0.8-150200.11.6.1 libSDL2-devel-2.0.8-150200.11.6.1 References: o https://www.suse.com/security/cve/CVE-2021-33657.html o https://bugzilla.suse.com/1198001 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl+Bi+NLKJtyKPYoAQj1MA/+Pl/OJ4Y+aniuosW3eYvo3SvJ7eGfjENJ PovTBnBDQViL1d4PdLte8OwUtumxKaXdsSAEs4D5rzdy9UVG0bQgnVWkPE8l09S3 iqcfNV2PjQ1CKgGQ5jUr9S8UO37Z4zBUT6Fc1MtHuBnmpBE4sDxnnvDzh8vhEBWj QIPgeo23vEf9tzbHwRcQ3Uz31ElZOw1PNc4//B80AxIImJufhID6298pKmb1YXGA 5WGw1CtsQNkX84BZfmIo6ZIalE6nAmJuVrBwqTXMr9JyIjFpq6pKXeq9zO2RPdz1 LvZfjLQzClpyipBY9kjbwyKbBf1nQ91nJ5GU7g/txabz8KZiTBDvo/BAx7yOudVW ntHqf4KAjMP3NbL6BXjOdLDPzPd+hya8w96bmmqU7zNSYZwWVwd9eNznCUyygLBu pf3fcJDryDUecZIC2mjPur84lDeh+GuMBjxHNc5V9rcjj0uVDDpBsgE+FgjhDLqa 1SLSyxyEIxG8cHrlBnsZQHsDDgGfxuaDsZ38e71D/Q81UwOTwEU4HA7dHpYP8wBV 37xAgcR71js/zvzXMP1TZgE1n9YIinsDAz/dWWEjahCiUqONUYIpnr0Hgz55vVYE U8qEPi6MjzR4CpDDzP+h4sX5AnmMoZ45NLDgyt7qiRIPbqLhSIXZEtGweZ70AmNP VTwP/oPbTlo= =tFNl -----END PGP SIGNATURE-----