Multiple Industrial Control System Vendors Warn of Critical Bugs

Four industrial control system vendors each announced vulnerabilities that ranged from critical to high-severity.

Industrial control system firms Real Time Automation and Paradox both warned of critical vulnerabilities Tuesday that opened systems up to remote attacks by adversaries.

Flaws are rated 9.8 out of 10 in severity by the industry standard Common Vulnerability Scoring System. The Real Time Automation bug is traced back to a component vulnerability made public by Claroty.

“A stack overflow vulnerability was discovered in RTA’s 499ES ENIP stack, all versions prior to 2.28, one of the most widely used OT protocols,” wrote Claroty, which publicly disclosed the bug Tuesday. Third-party code used in the proprietary Real Time Automation (RTA) component, 499ES EtherNet/IP (ENIP), can be triggered to cause a conditions ripe for a denial-of-service attack.

Claroty researchers said it had identified 11 devices using RTA’s ENIP stack from six different vendors, which are likely to be vulnerable to attack. It did not identify those other vendors. Tracked as CVE-2020-25159, Sharon Brizinov of Claroty reported this vulnerability to CISA last month.

RTA, which describes itself as providing industrial control systems for manufacturing and building automation, posted information regarding the vulnerability on Oct. 27.

John Rinaldi, chief strategist, business development manager and CEO of RTA said in October that, “Older code in the RTA device attempted to reduce RAM usage by limiting the size of a particular buffer used in an EtherNet/IP Forward Open request. By limiting the RAM, it made it possible for an attacker to attempt to overrun the buffer and use that to try to get control of the device. That line of code was changed a number of revision levels ago and is not an issue in current EtherNet/IP software revision levels.”

ICS Security System Paradox

Security device maker Paradox also announced a critical bug (CVE-2020-25189) impacting its IP150 Internet Module that created conditions ripe for a stack-based buffer overflow attack.

“Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code, which may result in the termination of the physical security system,” wrote the Cybersecurity Infrastructure Security Agency (CISA) in a bulletin posted on Tuesday.

According to Paradox, the impacted IP150 Internet Module is a “LAN based communication module that enables you to control and monitor your Paradox security system over a LAN or the internet through any web browser.”

A second high-severity bug, tracked as CVE-2020-25185 with a CVSS rating of 8.8, opens the IP150 Internet Module to “five post-authentication buffer overflows, which may allow a logged in user to remotely execute arbitrary code.”

While Paradox indicated that there are no known public exploits targeting the vulnerabilities, the company also did not offer any specific patches for either bug.

Inquiries to Paradox were not returned.

In lieu of patches Paradox offered a number of mitigation recommendations including ensuring the least-privilege user principle is adhered to and “minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet.”

Busy Day for ICS Patches

In addition to the RTA and Paradox bugs, high-severity flaws were made public by Sensormatic Electronics, a subsidiary of Johnson Controls, and ICS behemoth Schneider Electric.

Schneider reported nine high-severity bugs in its Interactive Graphical SCADA System. Vulnerabilities include: improper restriction of operations within the bounds of a memory buffer, an out-of-bounds write and an out-of-bounds read flaws.

The Sensormatic bug (CVE-2020-9049) impact equipment: American Dynamics victor Web Client and Software House C•CURE Web Client.

“Successful exploitation of this vulnerability could allow an unauthenticated attacker on the network to create and sign their own JSON web token and use it to execute an HTTP API method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a denial-of-service attack,” warned CISA in its security bulletin posted Tuesday.

2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles