Vulnerabilidades ICS Termómetro CCI 2021- 4 - Centro de ...
←
→
Transcripción del contenido de la página
Si su navegador no muestra la página correctamente, lea el contenido de la página a continuación
Vulnerabilidades
ICS Termómetro CCI
2021- 4
Tabla de contenido Introducción ................................................................................................................. 4 Novedades 2021.....................................................................................................................4 Fabricantes y debilidades ICS ........................................................................................ 5 Nuevos fabricantes.................................................................................................................5 Nuevas debilidades ................................................................................................................5 Nuevas alertas ........................................................................................................................6 Mapa de riesgo ............................................................................................................. 7 Cambios en el riesgo de fabricante ........................................................................................7 ANEXO – I: Cálculo del mapa de riesgo .......................................................................... 8 ANEXO II – Vulnerabilidades publicadas por el NIST desde el último termómetro CCI .... 9
Profesional de la Ciberseguridad industrial desde hace más de diez años en distintas empresas como Schneider Electric, S21sec, EY, SecurityMatters, Forescout, Telefónica y actualmente enTITANIUM Industrial Security. Miembro activo del ecosistema del Centro de Ciberseguridad Industrial (CCI) desde 2013, profesional Nivel Negro y participando como autor y revisor de distintos estudios y documentos realizados por este.
Introducción
Desde la publicación del cuaderno “Una década de vulnerabilidades ICS” el 4 de mayo de 2020, se han
seguido publicando nuevas vulnerabilidades sobre sistemas ICS, lo que ha hecho variar la exposición al
riesgo de los fabricantes recogidos en dicho cuaderno.
Desde el CCI queremos mantener actualizada esta información para proporcionar una visión de la
evolución de estas vulnerabilidades para que el ecosistema pueda utilizarlas cómo precise en una
publicación que denominaremos Termómetro de vulnerabilidades ICS del CCI.
En cada actualización publicaremos:
• Evolución del número de fabricantes de sistemas de control incluidos en el termómetro
para elperiodo en curso
• Evolución de vulnerabilidades y alertas de los fabricantes de control incluidos en el termómetro
• El mapa de calor de exposición al riesgo de los fabricantes, actualizado a fecha de publicación.
• Comentarios acerca de la evolución del mapa de riesgo.
Novedades 2021
Para adaptarnos a la creciente casuística de vulnerabilidades públicas que afectan a varios fabricantes, en
el año 2021 se aplicará un nuevo criterio, publicando cada uno de los fabricantes afectados por esta única
vulnerabilidad (CVE). Para ser coherentes con este nuevo acercamiento, en 2021 hablaremos de
“Debilidades ICS” (ICS Weaknesses) para dar cabida a estas vulnerabilidades multifabricante.
5Fabricantes y debilidades ICS
Nuevos fabricantes
En esta edición del termómetro CCI, se incluye 1 nuevo fabricante y su número pasa a 30. Este fabricante es
Hilscher, quién provee a Bosch Rexroth de un componente para su producto ActiveMover (Ethernet/IP IO Device)
y que se considera alerta debido a la potencial pérdida total de servicio del dispositivo si se explota esta
vulnerabilidad a través de la red.
Nuevas debilidades
El número de vulnerabilidades ICS publicadas por el NIST desde la última actualización es de 41.
Siemens acumula 19 CVEs en abril y sigue encabezando el mapa cualitativo de riesgo. Es de destacar que,
en la actualización de seguridad de 13 de abril, Siemens informó de problemas de seguridad en más de 27
productos. La convergencia en el uso de tecnología del mundo IT está dando lugar a escenarios cada vez
más comunes, en el que problemas de programación en librerías de Software libre, afectan a productos
críticos industriales. El caso de la librería libxml2 (CVE-2019-19956) que afecta gravemente a la
disponibilidad del servidor de acceso remoto de Siemens (SINEMA Remote Connect Server), es un ejemplo
muy claro de esta tendencia. (https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf )
Le sigue Eaton con 6 debilidades publicadas en abril de 2021 asociadas a su producto Intelligent Power
Manager (IPM)
Schneider Electric también informó de la publicación de 5 CVEs en el mes de abril asociadas a su producto
C-Bus Toolkit.
Wind River con su sistema operativo VxWorks, vuelve a verificar otro caso de amplificación de
5vulnerabilidades, dado que como ellos mismos anuncian en su página de producto
(https://lp.windriver.com/redefining-rtos.html ), VxWorks se utiliza en millones de dispositivos de
fabricantes como Siemens, Kuka, Rockwell, Bosch y muchos otros.
En los siguientes meses, veremos el efecto de estas y otras vulnerabilidades amplificadas (BadAlloc,), que
afectan a los RTOS de múltiples productos.
5Nuevas alertas
Este mes, el NIST no ha publicado nuevas alertas de fabricante. Recordamos que se clasifican cómo alertas
dado que la explotación de la vulnerabilidad presenta una complejidad baja, tiene cómo vector de acceso la
red y puede causar una total pérdida de servicio. (Según la clasificación CVSS V2, para permitir la
clasificación histórica de debilidades en productos más antiguos).
Sin embargo, el cambio del algoritmo realizado en enero de 2021 para detectar debilidades ICS que afectan
a más de un fabricante, no categorizó cómo alerta un CVE en el mes de enero (CVE-2021-20586) del
fabricante Mitsubishi Electric, y que afecta a los controladores de sus robots.
Como rectificar es de sabios, se incluye como “nueva” alerta en este termómetro, dada su repercusión en
el cambio de exposición cualitativa del riesgo en este fabricante.
Date
CVE CVSS Warning Description
published
CVE-2021-20586 Resource management errors vulnerability in a robot controller of MELFA FR
2021-01-29 7.8
Series(controller "CR800-*V*D" of RV-*FR***-D-* all versions, controller "CR800-
*HD" of RH-*FRH***-D-* all versions, controller "CR800-*HRD" of RH-*FRHR***-D-*
all versions, controller "CR800-*V*R with R16RTCPU" of RV-*FR***-R-* all versions,
controller "CR800-*HR with R16RTCPU" of RH-*FRH***-R-* all versions, controller
"CR800-*HRR with R16RTCPU" of RH-*FRHR***-R-* all versions, controller "CR800-
*V*Q with Q172DSRCPU" of RV-*FR***-Q-* all versions, controller "CR800-*HQ with
Q172DSRCPU" of RH-*FRH***-Q-* all versions, controller "CR800-*HRQ with
Q172DSRCPU" of RH-*FRHR***-Q-* all versions) and a robot controller of MELFA CR
Series(controller "CR800-CVD" of RV-8CRL-D-* all versions, controller "CR800-CHD"
of RH-*CRH**-D-* all versions) as well as a cooperative robot ASSISTA(controller
"CR800-05VD" of RV-5AS-D-* all versions) allows a remote unauthenticated attacker
to cause a DoS of the execution of the robot program and the Ethernet
communication by sending a large amount of packets in burst over a short period of
time. As a result of DoS, an error may occur. A reset is required to recover it if the
error occurs.
Mitsubishi Electric - MELFA FR Series controller
5El caso de Hilscher, nuevo fabricante en el termómetro y proveedor de Bosch Rexroth, también se ha
recogido como alerta en esta edición.
Date
CVE CVSS Warning Description
published
CVE-2021-20987 A denial of service and memory corruption vulnerability was found in Hilscher
2021-02-16 9.0
EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through
network or make devices crash without recovery.
5Mapa de riesgo
30 de abril de 2021
Hilscher
Miitsubishi Electric
Panasonic
Delta Electronics Advantech
Moxa Emerson
Pro-face Mikrotik
Schneider Electric
Wind River
Belden
Digi
Eaton
Fatek
Fuji Electric
Siemens
Hirschmann
GE
Honeywell
Kepware
Omron
PTC (ThingWorx)
Rockwell
Software Toolbox
ABB
Philips
ProSoft
RuggedCom
Tesla
Cambios en el riesgo de fabricante
Como se ha indicado en el punto anterior, la inclusión de la alerta “perdida” de Mitsubishi Electric,
incrementa su nivel cualitativo de exposición al riesgo a un nivel Alto. Mitsubishi obtiene de esta
manera un CVSS V2 medio de 6.5 en los últimos 10 años.
Hilscher también entra con riesgo Alto debido a la alerta registrada este mes de abril.
El resto de los fabricantes mantienen su nivel en el mapa de calor cualitativo de exposición al riesgo
5ANEXO – I: Cálculo del mapa de riesgo
Con objeto de mostrar de una manera gráfica y rápida la postura de cada fabricante en lo que se refiere al
riesgo asociado a las vulnerabilidades publicadas, he seleccionado un formato gráfico muy común en la
gestión de Riesgos: el mapa de calor.
Este diagrama presenta distintos colores para representar el riesgo asociado de manera cualitativa y en
cuatro rangos: Bajo, Medio, Alto y Muy Alto.
MUY ALTO
ALTO
MEDIO
BAJO
La posición de cada fabricante dentro del mapa depende de los valores obtenidos en dos parámetros
asociados con la probabilidad (Número de CVEs publicados) y el impacto de dichos CVEs (Valor medio de
CVSS).
Para cada año, se ha calculado cada uno de estos valores entre 1 y 5.
• En el eje horizontal, se ha calculado el valor proporcional al número de CVEs publicados para
esefabricante en un año concreto en comparación con el fabricante con mayor número de CVEs.
• En el eje vertical se ha calculado el valor medio de CVSS de los CVEs publicados ese año y se
hadividido entre 2.
Para intentar dar una idea más cualitativa en lo que se refiere a la postura de cada fabricante, se han
introducido dos correcciones en el cálculo:
• Si el fabricante tiene algún CVE ese año considerado cómo Alerta (Acceso por la red,
complejidadbaja e impacto completo en disponibilidad), se incrementa en una unidad el impacto
(Eje vertical)y en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
este fabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.
• De la misma manera, si un fabricante tiene algún CVE ese año con un valor CVSS de 10.0, se
incrementa en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
estefabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.
Se ha estudiado mediante distintas simulaciones que estas correcciones no suponen grandes alteraciones
en la postura global del riesgo de ese fabricante y, sin embargo, presentan un diagnóstico cualitativo más
ajustado.
5ANEXO II – Vulnerabilidades publicadas por
elNIST desde el último termómetro CCI
CVE Date CVSS Warning Description
published V2
CVE-2021-25668 2021-04-22 7.5 A vulnerability has been identified in SCALANCE X200-4P IRT (All versions
< 5.5.1), SCALANCE X201-3P IRT (All versions < 5.5.1), SCALANCE X201-
3P IRT PRO (All versions < 5.5.1), SCALANCE X202-2 IRT (All versions <
5.5.1), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All versions <
5.5.1), SCALANCE X202-2P IRT PRO (All versions < 5.5.1), SCALANCE X204
IRT (All versions < 5.5.1), SCALANCE X204 IRT PRO (All versions < 5.5.1),
SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE
X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant)
(All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS
(All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (All
versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions),
SCALANCE X208PRO (All versions), SCALANCE X212-2 (incl. SIPLUS NET
variant) (All versions), SCALANCE X212-2LD (All versions), SCALANCE
X216 (All versions), SCALANCE X224 (All versions), SCALANCE XF201-3P
IRT (All versions < 5.5.1), SCALANCE XF202-2P IRT (All versions < 5.5.1),
SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All versions <
5.5.1), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions),
SCALANCE XF204-2BA IRT (All versions < 5.5.1), SCALANCE XF206-1 (All
versions), SCALANCE XF208 (All versions). Incorrect processing of POST
requests in the webserver may result in write out of bounds in heap. An
attacker might leverage this to cause denial-of-service on the device and
potentially remotely execute code.
CVE-2021-25669 2021-04-22 7.5 A vulnerability has been identified in SCALANCE X200-4P IRT (All versions
< 5.5.1), SCALANCE X201-3P IRT (All versions < 5.5.1), SCALANCE X201-
3P IRT PRO (All versions < 5.5.1), SCALANCE X202-2 IRT (All versions <
5.5.1), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All versions <
5.5.1), SCALANCE X202-2P IRT PRO (All versions < 5.5.1), SCALANCE X204
IRT (All versions < 5.5.1), SCALANCE X204 IRT PRO (All versions < 5.5.1),
SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE
X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant)
(All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS
(All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (All
versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions),
SCALANCE X208PRO (All versions), SCALANCE X212-2 (incl. SIPLUS NET
variant) (All versions), SCALANCE X212-2LD (All versions), SCALANCE
X216 (All versions), SCALANCE X224 (All versions), SCALANCE XF201-3P
IRT (All versions < 5.5.1), SCALANCE XF202-2P IRT (All versions < 5.5.1),
SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All versions <
5.5.1), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions),
SCALANCE XF204-2BA IRT (All versions < 5.5.1), SCALANCE XF206-1 (All
versions), SCALANCE XF208 (All versions). Incorrect processing of POST
requests in the web server may write out of bounds in stack. An attacker
might leverage this to denial-of-service of the device or remote code
execution.
CVE-2021-27389 2021-04-22 7.5 A vulnerability has been identified in Opcenter Quality (All versions <
V12.2), QMS Automotive (All versions < V12.30). A private sign key is
shipped with the product without adequate protection.
CVE-2020-25244 2021-04-22 7.2 A vulnerability has been identified in LOGO! Soft Comfort (All versions).
The software insecurely loads libraries which makes it vulnerable to DLL
hijacking. Successful exploitation by a local attacker could lead to a
takeover of the system where the software is installed.
5CVE Date CVSS Warning Description
published V2
CVE-2020-25243 2021-04-22 7.2 A vulnerability has been identified in LOGO! Soft Comfort (All versions).
A zip slip vulnerability could be triggered while importing a
compromised project file to the affected software. Chained with other
vulnerabilities this vulnerability could ultimately lead to a system
takeover by an attacker.
CVE-2021-25670 2021-04-22 6.8 A vulnerability has been identified in Tecnomatix RobotExpert (All
versions < V16.1). Affected applications lack proper validation of user-
supplied data when parsing CELL files. This could result in an out of
bounds write past the end of an allocated structure. An attacker could
leverage this vulnerability to execute code in the context of the current
process. (ZDI-CAN-12608)
CVE-2021-27382 2021-04-22 6.8 A vulnerability has been identified in Solid Edge SE2020 (All versions <
SE2020MP13), Solid Edge SE2020 (SE2020MP13), Solid Edge SE2021 (All
Versions < SE2021MP4). Affected applications lack proper validation of
user-supplied data when parsing of PAR files. This could result in a stack
based buffer overflow. An attacker could leverage this vulnerability to
execute code in the context of the current process. (ZDI-CAN-13040)
CVE-2021-25678 2021-04-22 6.8 A vulnerability has been identified in Solid Edge SE2020 (All versions <
SE2020MP13), Solid Edge SE2020 (SE2020MP13), Solid Edge SE2021 (All
Versions < SE2021MP4). Affected applications lack proper validation of
user-supplied data when parsing PAR files. This could result in an out of
bounds write past the end of an allocated structure. An attacker could
leverage this vulnerability to execute code in the context of the current
process. (ZDI-CAN-12529)
CVE-2020-26997 2021-04-22 6.8 A vulnerability has been identified in Solid Edge SE2020 (All versions <
SE2020MP13), Solid Edge SE2020 (SE2020MP13), Solid Edge SE2021 (All
Versions < SE2021MP4). Affected applications lack proper validation of
user-supplied data when parsing PAR files. This could lead to pointer
dereferences of a value obtained from untrusted source. An attacker
could leverage this vulnerability to execute code in the context of the
current process. (ZDI-CAN-11919)
CVE-2020-27009 2021-04-22 6.8 A vulnerability has been identified in Nucleus NET (All versions < V5.2),
Nucleus RTOS (versions including affected DNS modules), Nucleus
Source Code (versions including affected DNS modules), VSTAR (versions
including affected DNS modules). The DNS domain name record
decompression functionality does not properly validate the pointer
offset values. The parsing of malformed responses could result in a write
past the end of an allocated structure. An attacker with a privileged
position in the network could leverage this vulnerability to execute code
in the context of the current process or cause a denial-of-service
condition.
CVE-2020-15795 2021-04-22 6.8 A vulnerability has been identified in Nucleus NET (All versions < V5.2),
Nucleus RTOS (versions including affected DNS modules), Nucleus
Source Code (versions including affected DNS modules), VSTAR (versions
including affected DNS modules). The DNS domain name label parsing
functionality does not properly validate the names in DNS-responses.
The parsing of malformed responses could result in a write past the end
of an allocated structure. An attacker with a privileged position in the
network could leverage this vulnerability to execute code in the context
of the current process or cause a denial-of-service condition.
CVE-2020-27738 2021-04-22 6.4 A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
Nucleus NET (All versions), Nucleus RTOS (versions including affected
DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
Source Code (versions including affected DNS modules), SIMOTICS
CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including
affected DNS modules). The DNS domain name record decompression
functionality does not properly validate the pointer offset values. The
parsing of malformed responses could result in a read access past the
end of an allocated structure. An attacker with a privileged position in
5CVE Date CVSS Warning Description
published V2
the network could leverage this vulnerability to cause a denial-of-service
condition.
CVE-2020-27737 2021-04-22 5.8 A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
Nucleus NET (All versions), Nucleus RTOS (versions including affected
DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
Source Code (versions including affected DNS modules), SIMOTICS
CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including
affected DNS modules). The DNS response parsing functionality does not
properly validate various length and counts of the records. The parsing
of malformed responses could result in a read past the end of an
allocated structure. An attacker with a privileged position in the network
could leverage this vulnerability to cause a denial-of-service condition or
leak the memory past the allocated structure.
CVE-2020-27736 2021-04-22 5.8 A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
Nucleus NET (All versions), Nucleus RTOS (versions including affected
DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
Source Code (versions including affected DNS modules), SIMOTICS
CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including
affected DNS modules). The DNS domain name label parsing
functionality does not properly validate the null-terminated name in
DNS-responses. The parsing of malformed responses could result in a
read past the end of an allocated structure. An attacker with a privileged
position in the network could leverage this vulnerability to cause a
denial-of-service condition or leak the read memory.
CVE-2021-27393 2021-04-22 5.0 A vulnerability has been identified in Nucleus NET (All versions), Nucleus
RTOS (versions including affected DNS modules), Nucleus ReadyStart (All
versions < V2013.08), Nucleus Source Code (versions including affected
DNS modules), VSTAR (versions including affected DNS modules). The
DNS client does not properly randomize UDP port numbers of DNS
requests. That could allow an attacker to poison the DNS cache or spoof
DNS resolving.
CVE-2021-25664 2021-04-22 5.0 A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
Nucleus NET (All versions), Nucleus ReadyStart (All versions), Nucleus
Source Code (versions including affected IPv6 stack), VSTAR (versions
including affected IPv6 stack). The function that processes the Hop-by-
Hop extension header in IPv6 packets and its options lacks any checks
against the length field of the header, allowing attackers to put the
function into an infinite loop by supplying arbitrary length values.
CVE-2021-25663 2021-04-22 5.0 A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
Nucleus NET (All versions), Nucleus ReadyStart (All versions), Nucleus
Source Code (versions including affected IPv6 stack), VSTAR (versions
including affected IPv6 stack). The function that processes IPv6 headers
does not check the lengths of extension header options, allowing
attackers to put this function into an infinite loop with crafted length
values.
CVE-2021-25677 2021-04-22 5.0 A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
Nucleus NET (All versions), Nucleus RTOS (versions including affected
DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
Source Code (versions including affected DNS modules), SIMOTICS
CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All
versions >= V0.5.0.0), VSTAR (versions including affected DNS modules).
The DNS client does not properly randomize DNS transaction IDs. That
could allow an attacker to poison the DNS cache or spoof DNS resolving.
CVE-2021-27392 2021-04-22 4.0 A vulnerability has been identified in Siveillance Video Open Network
Bridge (2020 R3), Siveillance Video Open Network Bridge (2020 R2),
Siveillance Video Open Network Bridge (2020 R1), Siveillance Video
Open Network Bridge (2019 R3), Siveillance Video Open Network Bridge
(2019 R2), Siveillance Video Open Network Bridge (2019 R1), Siveillance
Video Open Network Bridge (2018 R3), Siveillance Video Open Network
5CVE Date CVSS Warning Description
published V2
Bridge (2018 R2). Affected Open Network Bridges store user credentials
for the authentication between ONVIF clients and ONVIF server using a
hard-coded key. The encrypted credentials can be retrieved via the MIP
SDK. This could allow an authenticated remote attacker to retrieve and
decrypt all credentials stored on the ONVIF server.
CVE-2021-29999 2021-04-13 7.5 An issue was discovered in Wind River VxWorks through 6.8. There is a
possible stack overflow in dhcp server.
CVE-2021-29998 2021-04-13 7.5 An issue was discovered in Wind River VxWorks before 6.5. There is a
possible heap overflow in dhcp client.
CVE-2021-22718 2021-04-13 7.5 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
that could allow a remote code execution when restoring project files.
CVE-2021-22720 2021-04-13 7.5 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
that could allow a remote code execution when restoring a project.
CVE-2021-23281 2021-04-13 7.5 Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
unauthenticated remote code execution vulnerability. IPM software
does not sanitize the date provided via coverterCheckList action in
meta_driver_srv.js class. Attackers can send a specially crafted packet to
make IPM connect to rouge SNMP server and execute attacker-
controlled code.
CVE-2021-23277 2021-04-13 7.5 Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
unauthenticated eval injection vulnerability. The software does not
neutralize code syntax from users before using in the dynamic
evaluation call in loadUserFile function under scripts/libs/utils.js.
Successful exploitation can allow attackers to control the input to the
function and execute attacker controlled commands.
CVE-2021-22716 2021-04-13 6.5 A CWE-269: Improper Privilege Management vulnerability exists in C-Bus
Toolkit (V1.15.7 and prior) that could allow a remote code execution
when an unprivileged user modifies a file.
CVE-2021-22717 2021-04-13 6.5 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
that could allow a remote code execution when processing config files.
CVE-2021-22719 2021-04-13 6.5 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
that could allow a remote code execution when a file is uploaded.
CVE-2021-23280 2021-04-13 6.5 Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js
allows an attacker to upload a malicious NodeJS file using
uploadBackgroud action. An attacker can upload a malicious code or
execute any command using a specially crafted packet to exploit the
vulnerability.
CVE-2021-23276 2021-04-13 6.5 Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
authenticated SQL injection. A malicious user can send a specially
crafted packet to exploit the vulnerability. Successful exploitation of this
vulnerability can allow attackers to add users in the data base.
CVE-2021-23279 2021-04-13 6.4 Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
unauthenticated arbitrary file delete vulnerability induced due to
improper input validation in meta_driver_srv.js class with
saveDriverData action using invalidated driverID. An attacker can send
specially crafted packets to delete the files on the system where IPM
software is installed.
CVE-2021-23278 2021-04-13 5.5 Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
authenticated arbitrary file delete vulnerability induced due to improper
input validation at server/maps_srv.js with action removeBackground
and server/node_upgrade_srv.js with action removeFirmware. An
attacker can send specially crafted packets to delete the files on the
system where IPM software is installed.
5CVE Date CVSS Warning Description
published V2
CVE-2021-27486 2021-04-12 6.8 FATEK Automation WinProladder Versions 3.30 and prior is vulnerable
to an integer underflow, which may cause an out-of-bounds write and
allow an attacker to execute arbitrary code.
CVE-2021-22659 2021-03-25 7.5 Rockwell Automation MicroLogix 1400 Version 21.6 and below may
allow a remote unauthenticated attacker to send a specially crafted
Modbus packet allowing the attacker to retrieve or modify random
values in the register. If successfully exploited, this may lead to a buffer
overflow resulting in a denial-of-service condition. The FAULT LED will
flash RED and communications may be lost. Recovery from denial-of-
service condition requires the fault to be cleared by the user.
CVE-2021-27440 2021-03-25 7.5 The software contains a hard-coded password it uses for its own
inbound authentication or for outbound communication to external
components on the Reason DR60 (all firmware versions prior to
02A04.1).
CVE-2021-27438 2021-03-25 6.5 The software contains a hard-coded password it uses for its own
inbound authentication or for outbound communication to external
components on the Reason DR60 (all firmware versions prior to
02A04.1).
CVE-2021-27454 2021-03-25 4.6 The software performs an operation at a privilege level higher than the
minimum level required, which creates new weaknesses or amplifies the
consequences of other weaknesses on the Reason DR60 (all firmware
versions prior to 02A04.1).
CVE-2021-20586 2021-01-29 7.8 Resource management errors vulnerability in a robot controller of
MELFA FR Series(controller "CR800-*V*D" of RV-*FR***-D-* all versions,
controller "CR800-*HD" of RH-*FRH***-D-* all versions, controller
"CR800-*HRD" of RH-*FRHR***-D-* all versions, controller "CR800-*V*R
with R16RTCPU" of RV-*FR***-R-* all versions, controller "CR800-*HR
with R16RTCPU" of RH-*FRH***-R-* all versions, controller "CR800-
*HRR with R16RTCPU" of RH-*FRHR***-R-* all versions, controller
"CR800-*V*Q with Q172DSRCPU" of RV-*FR***-Q-* all versions,
controller "CR800-*HQ with Q172DSRCPU" of RH-*FRH***-Q-* all
versions, controller "CR800-*HRQ with Q172DSRCPU" of RH-*FRHR***-
Q-* all versions) and a robot controller of MELFA CR Series(controller
"CR800-CVD" of RV-8CRL-D-* all versions, controller "CR800-CHD" of RH-
*CRH**-D-* all versions) as well as a cooperative robot
ASSISTA(controller "CR800-05VD" of RV-5AS-D-* all versions) allows a
remote unauthenticated attacker to cause a DoS of the execution of the
robot program and the Ethernet communication by sending a large
amount of packets in burst over a short period of time. As a result of
DoS, an error may occur. A reset is required to recover it if the error
occurs.
CVE-2021-20987 9.0 A denial of service and memory corruption vulnerability was found in
2021-02-16
Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code
injection through network or make devices crash without recovery.
5También puede leer
