Vulnerabilidades ICS Termómetro CCI 2021- 4 - Centro de ...

 
SEGUIR LEYENDO
Vulnerabilidades ICS Termómetro CCI 2021- 4 - Centro de ...
Vulnerabilidades
ICS Termómetro CCI
            2021- 4
Vulnerabilidades ICS Termómetro CCI 2021- 4 - Centro de ...
Tabla de contenido

Introducción ................................................................................................................. 4
Novedades 2021.....................................................................................................................4
Fabricantes y debilidades ICS ........................................................................................ 5
Nuevos fabricantes.................................................................................................................5
Nuevas debilidades ................................................................................................................5
Nuevas alertas ........................................................................................................................6
Mapa de riesgo ............................................................................................................. 7
Cambios en el riesgo de fabricante ........................................................................................7
ANEXO – I: Cálculo del mapa de riesgo .......................................................................... 8
ANEXO II – Vulnerabilidades publicadas por el NIST desde el último termómetro CCI .... 9
Profesional de la
Ciberseguridad industrial
desde hace más de diez años
en distintas empresas como
Schneider Electric, S21sec,
EY, SecurityMatters,
Forescout, Telefónica y
actualmente enTITANIUM
Industrial Security.
Miembro activo del
ecosistema del Centro de
Ciberseguridad Industrial (CCI)
desde 2013, profesional Nivel
Negro y participando como
autor y revisor de distintos
estudios y documentos
realizados por este.
Introducción
Desde la publicación del cuaderno “Una década de vulnerabilidades ICS” el 4 de mayo de 2020, se han
seguido publicando nuevas vulnerabilidades sobre sistemas ICS, lo que ha hecho variar la exposición al
riesgo de los fabricantes recogidos en dicho cuaderno.

Desde el CCI queremos mantener actualizada esta información para proporcionar una visión de la
evolución de estas vulnerabilidades para que el ecosistema pueda utilizarlas cómo precise en una
publicación que denominaremos Termómetro de vulnerabilidades ICS del CCI.

En cada actualización publicaremos:

    •   Evolución del número de fabricantes de sistemas de control incluidos en el termómetro
        para elperiodo en curso
    •   Evolución de vulnerabilidades y alertas de los fabricantes de control incluidos en el termómetro
    •   El mapa de calor de exposición al riesgo de los fabricantes, actualizado a fecha de publicación.
    •   Comentarios acerca de la evolución del mapa de riesgo.

Novedades 2021
Para adaptarnos a la creciente casuística de vulnerabilidades públicas que afectan a varios fabricantes, en
el año 2021 se aplicará un nuevo criterio, publicando cada uno de los fabricantes afectados por esta única
vulnerabilidad (CVE). Para ser coherentes con este nuevo acercamiento, en 2021 hablaremos de
“Debilidades ICS” (ICS Weaknesses) para dar cabida a estas vulnerabilidades multifabricante.

                                                                                                              5
Fabricantes y debilidades ICS

Nuevos fabricantes
En esta edición del termómetro CCI, se incluye 1 nuevo fabricante y su número pasa a 30. Este fabricante es
Hilscher, quién provee a Bosch Rexroth de un componente para su producto ActiveMover (Ethernet/IP IO Device)
y que se considera alerta debido a la potencial pérdida total de servicio del dispositivo si se explota esta
vulnerabilidad a través de la red.

Nuevas debilidades
El número de vulnerabilidades ICS publicadas por el NIST desde la última actualización es de 41.

Siemens acumula 19 CVEs en abril y sigue encabezando el mapa cualitativo de riesgo. Es de destacar que,
en la actualización de seguridad de 13 de abril, Siemens informó de problemas de seguridad en más de 27
productos. La convergencia en el uso de tecnología del mundo IT está dando lugar a escenarios cada vez
más comunes, en el que problemas de programación en librerías de Software libre, afectan a productos
críticos industriales. El caso de la librería libxml2 (CVE-2019-19956) que afecta gravemente a la
disponibilidad del servidor de acceso remoto de Siemens (SINEMA Remote Connect Server), es un ejemplo
muy claro de esta tendencia. (https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf )

Le sigue Eaton con 6 debilidades publicadas en abril de 2021 asociadas a su producto Intelligent Power
Manager (IPM)

Schneider Electric también informó de la publicación de 5 CVEs en el mes de abril asociadas a su producto
C-Bus Toolkit.

Wind River con su sistema operativo VxWorks, vuelve a verificar otro caso de amplificación de

                                                                                                            5
vulnerabilidades, dado que como ellos mismos anuncian en su página de producto
(https://lp.windriver.com/redefining-rtos.html ), VxWorks se utiliza en millones de dispositivos de
fabricantes como Siemens, Kuka, Rockwell, Bosch y muchos otros.

En los siguientes meses, veremos el efecto de estas y otras vulnerabilidades amplificadas (BadAlloc,), que
afectan a los RTOS de múltiples productos.

                                                                                                             5
Nuevas alertas
Este mes, el NIST no ha publicado nuevas alertas de fabricante. Recordamos que se clasifican cómo alertas
dado que la explotación de la vulnerabilidad presenta una complejidad baja, tiene cómo vector de acceso la
red y puede causar una total pérdida de servicio. (Según la clasificación CVSS V2, para permitir la
clasificación histórica de debilidades en productos más antiguos).
Sin embargo, el cambio del algoritmo realizado en enero de 2021 para detectar debilidades ICS que afectan
a más de un fabricante, no categorizó cómo alerta un CVE en el mes de enero (CVE-2021-20586) del
fabricante Mitsubishi Electric, y que afecta a los controladores de sus robots.
Como rectificar es de sabios, se incluye como “nueva” alerta en este termómetro, dada su repercusión en
el cambio de exposición cualitativa del riesgo en este fabricante.

                   Date
 CVE                            CVSS      Warning      Description
                   published
CVE-2021-20586                                         Resource management errors vulnerability in a robot controller of MELFA FR
                   2021-01-29   7.8
                                                       Series(controller "CR800-*V*D" of RV-*FR***-D-* all versions, controller "CR800-
                                                       *HD" of RH-*FRH***-D-* all versions, controller "CR800-*HRD" of RH-*FRHR***-D-*
                                                       all versions, controller "CR800-*V*R with R16RTCPU" of RV-*FR***-R-* all versions,
                                                       controller "CR800-*HR with R16RTCPU" of RH-*FRH***-R-* all versions, controller
                                                       "CR800-*HRR with R16RTCPU" of RH-*FRHR***-R-* all versions, controller "CR800-
                                                       *V*Q with Q172DSRCPU" of RV-*FR***-Q-* all versions, controller "CR800-*HQ with
                                                       Q172DSRCPU" of RH-*FRH***-Q-* all versions, controller "CR800-*HRQ with
                                                       Q172DSRCPU" of RH-*FRHR***-Q-* all versions) and a robot controller of MELFA CR
                                                       Series(controller "CR800-CVD" of RV-8CRL-D-* all versions, controller "CR800-CHD"
                                                       of RH-*CRH**-D-* all versions) as well as a cooperative robot ASSISTA(controller
                                                       "CR800-05VD" of RV-5AS-D-* all versions) allows a remote unauthenticated attacker
                                                       to cause a DoS of the execution of the robot program and the Ethernet
                                                       communication by sending a large amount of packets in burst over a short period of
                                                       time. As a result of DoS, an error may occur. A reset is required to recover it if the
                                                       error occurs.

                                      Mitsubishi Electric - MELFA FR Series controller

                                                                                                                                    5
El caso de Hilscher, nuevo fabricante en el termómetro y proveedor de Bosch Rexroth, también se ha
recogido como alerta en esta edición.

                 Date
 CVE                          CVSS   Warning   Description
                 published
CVE-2021-20987                                 A denial of service and memory corruption vulnerability was found in Hilscher
                 2021-02-16   9.0
                                               EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code injection through
                                               network or make devices crash without recovery.

                                                                                                                         5
Mapa de riesgo
30 de abril de 2021

                                         Hilscher
                                   Miitsubishi Electric
                                        Panasonic

        Delta Electronics              Advantech
             Moxa                       Emerson
            Pro-face                    Mikrotik
        Schneider Electric
           Wind River

             Belden
               Digi
              Eaton
              Fatek
           Fuji Electric
                                                                                                         Siemens
          Hirschmann
                                           GE
           Honeywell
            Kepware
             Omron
        PTC (ThingWorx)
            Rockwell
        Software Toolbox
               ABB
             Philips
             ProSoft
           RuggedCom
              Tesla

Cambios en el riesgo de fabricante
Como se ha indicado en el punto anterior, la inclusión de la alerta “perdida” de Mitsubishi Electric,
incrementa su nivel cualitativo de exposición al riesgo a un nivel Alto. Mitsubishi obtiene de esta
manera un CVSS V2 medio de 6.5 en los últimos 10 años.

Hilscher también entra con riesgo Alto debido a la alerta registrada este mes de abril.

El resto de los fabricantes mantienen su nivel en el mapa de calor cualitativo de exposición al riesgo

                                                                                                                   5
ANEXO – I: Cálculo del mapa de riesgo
Con objeto de mostrar de una manera gráfica y rápida la postura de cada fabricante en lo que se refiere al
riesgo asociado a las vulnerabilidades publicadas, he seleccionado un formato gráfico muy común en la
gestión de Riesgos: el mapa de calor.
Este diagrama presenta distintos colores para representar el riesgo asociado de manera cualitativa y en
cuatro rangos: Bajo, Medio, Alto y Muy Alto.

                                                                                                     MUY ALTO

                                                        ALTO

                                MEDIO

          BAJO

La posición de cada fabricante dentro del mapa depende de los valores obtenidos en dos parámetros
asociados con la probabilidad (Número de CVEs publicados) y el impacto de dichos CVEs (Valor medio de
CVSS).
Para cada año, se ha calculado cada uno de estos valores entre 1 y 5.
     • En el eje horizontal, se ha calculado el valor proporcional al número de CVEs publicados para
         esefabricante en un año concreto en comparación con el fabricante con mayor número de CVEs.
     • En el eje vertical se ha calculado el valor medio de CVSS de los CVEs publicados ese año y se
         hadividido entre 2.
Para intentar dar una idea más cualitativa en lo que se refiere a la postura de cada fabricante, se han
introducido dos correcciones en el cálculo:
     • Si el fabricante tiene algún CVE ese año considerado cómo Alerta (Acceso por la red,
         complejidadbaja e impacto completo en disponibilidad), se incrementa en una unidad el impacto
         (Eje vertical)y en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
         este fabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.
     • De la misma manera, si un fabricante tiene algún CVE ese año con un valor CVSS de 10.0, se
         incrementa en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
         estefabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.

Se ha estudiado mediante distintas simulaciones que estas correcciones no suponen grandes alteraciones
en la postura global del riesgo de ese fabricante y, sin embargo, presentan un diagnóstico cualitativo más
ajustado.

                                                                                                              5
ANEXO II – Vulnerabilidades publicadas por
        elNIST desde el último termómetro CCI
CVE              Date         CVSS   Warning   Description
                 published     V2
CVE-2021-25668   2021-04-22    7.5             A vulnerability has been identified in SCALANCE X200-4P IRT (All versions
                                               < 5.5.1), SCALANCE X201-3P IRT (All versions < 5.5.1), SCALANCE X201-
                                               3P IRT PRO (All versions < 5.5.1), SCALANCE X202-2 IRT (All versions <
                                               5.5.1), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All versions <
                                               5.5.1), SCALANCE X202-2P IRT PRO (All versions < 5.5.1), SCALANCE X204
                                               IRT (All versions < 5.5.1), SCALANCE X204 IRT PRO (All versions < 5.5.1),
                                               SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE
                                               X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant)
                                               (All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS
                                               (All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (All
                                               versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions),
                                               SCALANCE X208PRO (All versions), SCALANCE X212-2 (incl. SIPLUS NET
                                               variant) (All versions), SCALANCE X212-2LD (All versions), SCALANCE
                                               X216 (All versions), SCALANCE X224 (All versions), SCALANCE XF201-3P
                                               IRT (All versions < 5.5.1), SCALANCE XF202-2P IRT (All versions < 5.5.1),
                                               SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All versions <
                                               5.5.1), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions),
                                               SCALANCE XF204-2BA IRT (All versions < 5.5.1), SCALANCE XF206-1 (All
                                               versions), SCALANCE XF208 (All versions). Incorrect processing of POST
                                               requests in the webserver may result in write out of bounds in heap. An
                                               attacker might leverage this to cause denial-of-service on the device and
                                               potentially remotely execute code.
CVE-2021-25669   2021-04-22   7.5              A vulnerability has been identified in SCALANCE X200-4P IRT (All versions
                                               < 5.5.1), SCALANCE X201-3P IRT (All versions < 5.5.1), SCALANCE X201-
                                               3P IRT PRO (All versions < 5.5.1), SCALANCE X202-2 IRT (All versions <
                                               5.5.1), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All versions <
                                               5.5.1), SCALANCE X202-2P IRT PRO (All versions < 5.5.1), SCALANCE X204
                                               IRT (All versions < 5.5.1), SCALANCE X204 IRT PRO (All versions < 5.5.1),
                                               SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE
                                               X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant)
                                               (All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS
                                               (All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (All
                                               versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions),
                                               SCALANCE X208PRO (All versions), SCALANCE X212-2 (incl. SIPLUS NET
                                               variant) (All versions), SCALANCE X212-2LD (All versions), SCALANCE
                                               X216 (All versions), SCALANCE X224 (All versions), SCALANCE XF201-3P
                                               IRT (All versions < 5.5.1), SCALANCE XF202-2P IRT (All versions < 5.5.1),
                                               SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All versions <
                                               5.5.1), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions),
                                               SCALANCE XF204-2BA IRT (All versions < 5.5.1), SCALANCE XF206-1 (All
                                               versions), SCALANCE XF208 (All versions). Incorrect processing of POST
                                               requests in the web server may write out of bounds in stack. An attacker
                                               might leverage this to denial-of-service of the device or remote code
                                               execution.
CVE-2021-27389   2021-04-22   7.5              A vulnerability has been identified in Opcenter Quality (All versions <
                                               V12.2), QMS Automotive (All versions < V12.30). A private sign key is
                                               shipped with the product without adequate protection.
CVE-2020-25244   2021-04-22   7.2              A vulnerability has been identified in LOGO! Soft Comfort (All versions).
                                               The software insecurely loads libraries which makes it vulnerable to DLL
                                               hijacking. Successful exploitation by a local attacker could lead to a
                                               takeover of the system where the software is installed.

                                                                                                                       5
CVE              Date         CVSS   Warning   Description
                 published     V2
CVE-2020-25243   2021-04-22    7.2             A vulnerability has been identified in LOGO! Soft Comfort (All versions).
                                               A zip slip vulnerability could be triggered while importing a
                                               compromised project file to the affected software. Chained with other
                                               vulnerabilities this vulnerability could ultimately lead to a system
                                               takeover by an attacker.
CVE-2021-25670   2021-04-22   6.8              A vulnerability has been identified in Tecnomatix RobotExpert (All
                                               versions < V16.1). Affected applications lack proper validation of user-
                                               supplied data when parsing CELL files. This could result in an out of
                                               bounds write past the end of an allocated structure. An attacker could
                                               leverage this vulnerability to execute code in the context of the current
                                               process. (ZDI-CAN-12608)
CVE-2021-27382   2021-04-22   6.8              A vulnerability has been identified in Solid Edge SE2020 (All versions <
                                               SE2020MP13), Solid Edge SE2020 (SE2020MP13), Solid Edge SE2021 (All
                                               Versions < SE2021MP4). Affected applications lack proper validation of
                                               user-supplied data when parsing of PAR files. This could result in a stack
                                               based buffer overflow. An attacker could leverage this vulnerability to
                                               execute code in the context of the current process. (ZDI-CAN-13040)
CVE-2021-25678   2021-04-22   6.8              A vulnerability has been identified in Solid Edge SE2020 (All versions <
                                               SE2020MP13), Solid Edge SE2020 (SE2020MP13), Solid Edge SE2021 (All
                                               Versions < SE2021MP4). Affected applications lack proper validation of
                                               user-supplied data when parsing PAR files. This could result in an out of
                                               bounds write past the end of an allocated structure. An attacker could
                                               leverage this vulnerability to execute code in the context of the current
                                               process. (ZDI-CAN-12529)
CVE-2020-26997   2021-04-22   6.8              A vulnerability has been identified in Solid Edge SE2020 (All versions <
                                               SE2020MP13), Solid Edge SE2020 (SE2020MP13), Solid Edge SE2021 (All
                                               Versions < SE2021MP4). Affected applications lack proper validation of
                                               user-supplied data when parsing PAR files. This could lead to pointer
                                               dereferences of a value obtained from untrusted source. An attacker
                                               could leverage this vulnerability to execute code in the context of the
                                               current process. (ZDI-CAN-11919)
CVE-2020-27009   2021-04-22   6.8              A vulnerability has been identified in Nucleus NET (All versions < V5.2),
                                               Nucleus RTOS (versions including affected DNS modules), Nucleus
                                               Source Code (versions including affected DNS modules), VSTAR (versions
                                               including affected DNS modules). The DNS domain name record
                                               decompression functionality does not properly validate the pointer
                                               offset values. The parsing of malformed responses could result in a write
                                               past the end of an allocated structure. An attacker with a privileged
                                               position in the network could leverage this vulnerability to execute code
                                               in the context of the current process or cause a denial-of-service
                                               condition.
CVE-2020-15795   2021-04-22   6.8              A vulnerability has been identified in Nucleus NET (All versions < V5.2),
                                               Nucleus RTOS (versions including affected DNS modules), Nucleus
                                               Source Code (versions including affected DNS modules), VSTAR (versions
                                               including affected DNS modules). The DNS domain name label parsing
                                               functionality does not properly validate the names in DNS-responses.
                                               The parsing of malformed responses could result in a write past the end
                                               of an allocated structure. An attacker with a privileged position in the
                                               network could leverage this vulnerability to execute code in the context
                                               of the current process or cause a denial-of-service condition.
CVE-2020-27738   2021-04-22   6.4              A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
                                               Nucleus NET (All versions), Nucleus RTOS (versions including affected
                                               DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
                                               Source Code (versions including affected DNS modules), SIMOTICS
                                               CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including
                                               affected DNS modules). The DNS domain name record decompression
                                               functionality does not properly validate the pointer offset values. The
                                               parsing of malformed responses could result in a read access past the
                                               end of an allocated structure. An attacker with a privileged position in

                                                                                                                            5
CVE              Date         CVSS   Warning   Description
                 published     V2
                                               the network could leverage this vulnerability to cause a denial-of-service
                                               condition.
CVE-2020-27737   2021-04-22   5.8              A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
                                               Nucleus NET (All versions), Nucleus RTOS (versions including affected
                                               DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
                                               Source Code (versions including affected DNS modules), SIMOTICS
                                               CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including
                                               affected DNS modules). The DNS response parsing functionality does not
                                               properly validate various length and counts of the records. The parsing
                                               of malformed responses could result in a read past the end of an
                                               allocated structure. An attacker with a privileged position in the network
                                               could leverage this vulnerability to cause a denial-of-service condition or
                                               leak the memory past the allocated structure.
CVE-2020-27736   2021-04-22   5.8              A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
                                               Nucleus NET (All versions), Nucleus RTOS (versions including affected
                                               DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
                                               Source Code (versions including affected DNS modules), SIMOTICS
                                               CONNECT 400 (All versions < V0.5.0.0), VSTAR (versions including
                                               affected DNS modules). The DNS domain name label parsing
                                               functionality does not properly validate the null-terminated name in
                                               DNS-responses. The parsing of malformed responses could result in a
                                               read past the end of an allocated structure. An attacker with a privileged
                                               position in the network could leverage this vulnerability to cause a
                                               denial-of-service condition or leak the read memory.
CVE-2021-27393   2021-04-22   5.0              A vulnerability has been identified in Nucleus NET (All versions), Nucleus
                                               RTOS (versions including affected DNS modules), Nucleus ReadyStart (All
                                               versions < V2013.08), Nucleus Source Code (versions including affected
                                               DNS modules), VSTAR (versions including affected DNS modules). The
                                               DNS client does not properly randomize UDP port numbers of DNS
                                               requests. That could allow an attacker to poison the DNS cache or spoof
                                               DNS resolving.
CVE-2021-25664   2021-04-22   5.0              A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
                                               Nucleus NET (All versions), Nucleus ReadyStart (All versions), Nucleus
                                               Source Code (versions including affected IPv6 stack), VSTAR (versions
                                               including affected IPv6 stack). The function that processes the Hop-by-
                                               Hop extension header in IPv6 packets and its options lacks any checks
                                               against the length field of the header, allowing attackers to put the
                                               function into an infinite loop by supplying arbitrary length values.
CVE-2021-25663   2021-04-22   5.0              A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
                                               Nucleus NET (All versions), Nucleus ReadyStart (All versions), Nucleus
                                               Source Code (versions including affected IPv6 stack), VSTAR (versions
                                               including affected IPv6 stack). The function that processes IPv6 headers
                                               does not check the lengths of extension header options, allowing
                                               attackers to put this function into an infinite loop with crafted length
                                               values.
CVE-2021-25677   2021-04-22   5.0              A vulnerability has been identified in Nucleus 4 (All versions < V4.1.0),
                                               Nucleus NET (All versions), Nucleus RTOS (versions including affected
                                               DNS modules), Nucleus ReadyStart (All versions < V2017.02.3), Nucleus
                                               Source Code (versions including affected DNS modules), SIMOTICS
                                               CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All
                                               versions >= V0.5.0.0), VSTAR (versions including affected DNS modules).
                                               The DNS client does not properly randomize DNS transaction IDs. That
                                               could allow an attacker to poison the DNS cache or spoof DNS resolving.
CVE-2021-27392   2021-04-22   4.0              A vulnerability has been identified in Siveillance Video Open Network
                                               Bridge (2020 R3), Siveillance Video Open Network Bridge (2020 R2),
                                               Siveillance Video Open Network Bridge (2020 R1), Siveillance Video
                                               Open Network Bridge (2019 R3), Siveillance Video Open Network Bridge
                                               (2019 R2), Siveillance Video Open Network Bridge (2019 R1), Siveillance
                                               Video Open Network Bridge (2018 R3), Siveillance Video Open Network

                                                                                                                             5
CVE              Date         CVSS   Warning   Description
                 published     V2
                                               Bridge (2018 R2). Affected Open Network Bridges store user credentials
                                               for the authentication between ONVIF clients and ONVIF server using a
                                               hard-coded key. The encrypted credentials can be retrieved via the MIP
                                               SDK. This could allow an authenticated remote attacker to retrieve and
                                               decrypt all credentials stored on the ONVIF server.
CVE-2021-29999   2021-04-13   7.5              An issue was discovered in Wind River VxWorks through 6.8. There is a
                                               possible stack overflow in dhcp server.
CVE-2021-29998   2021-04-13   7.5              An issue was discovered in Wind River VxWorks before 6.5. There is a
                                               possible heap overflow in dhcp client.
CVE-2021-22718   2021-04-13   7.5              A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
                                               ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
                                               that could allow a remote code execution when restoring project files.
CVE-2021-22720   2021-04-13   7.5              A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
                                               ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
                                               that could allow a remote code execution when restoring a project.
CVE-2021-23281   2021-04-13   7.5              Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
                                               unauthenticated remote code execution vulnerability. IPM software
                                               does not sanitize the date provided via coverterCheckList action in
                                               meta_driver_srv.js class. Attackers can send a specially crafted packet to
                                               make IPM connect to rouge SNMP server and execute attacker-
                                               controlled code.
CVE-2021-23277   2021-04-13   7.5              Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
                                               unauthenticated eval injection vulnerability. The software does not
                                               neutralize code syntax from users before using in the dynamic
                                               evaluation call in loadUserFile function under scripts/libs/utils.js.
                                               Successful exploitation can allow attackers to control the input to the
                                               function and execute attacker controlled commands.
CVE-2021-22716   2021-04-13   6.5              A CWE-269: Improper Privilege Management vulnerability exists in C-Bus
                                               Toolkit (V1.15.7 and prior) that could allow a remote code execution
                                               when an unprivileged user modifies a file.
CVE-2021-22717   2021-04-13   6.5              A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
                                               ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
                                               that could allow a remote code execution when processing config files.
CVE-2021-22719   2021-04-13   6.5              A CWE-22: Improper Limitation of a Pathname to a Restricted Directory
                                               ('Path Traversal') vulnerability exists in C-Bus Toolkit (V1.15.7 and prior)
                                               that could allow a remote code execution when a file is uploaded.
CVE-2021-23280   2021-04-13   6.5              Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
                                               authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js
                                               allows an attacker to upload a malicious NodeJS file using
                                               uploadBackgroud action. An attacker can upload a malicious code or
                                               execute any command using a specially crafted packet to exploit the
                                               vulnerability.
CVE-2021-23276   2021-04-13   6.5              Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
                                               authenticated SQL injection. A malicious user can send a specially
                                               crafted packet to exploit the vulnerability. Successful exploitation of this
                                               vulnerability can allow attackers to add users in the data base.
CVE-2021-23279   2021-04-13   6.4              Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
                                               unauthenticated arbitrary file delete vulnerability induced due to
                                               improper input validation in meta_driver_srv.js class with
                                               saveDriverData action using invalidated driverID. An attacker can send
                                               specially crafted packets to delete the files on the system where IPM
                                               software is installed.
CVE-2021-23278   2021-04-13   5.5              Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to
                                               authenticated arbitrary file delete vulnerability induced due to improper
                                               input validation at server/maps_srv.js with action removeBackground
                                               and server/node_upgrade_srv.js with action removeFirmware. An
                                               attacker can send specially crafted packets to delete the files on the
                                               system where IPM software is installed.

                                                                                                                              5
CVE              Date          CVSS   Warning   Description
                 published      V2
CVE-2021-27486   2021-04-12     6.8             FATEK Automation WinProladder Versions 3.30 and prior is vulnerable
                                                to an integer underflow, which may cause an out-of-bounds write and
                                                allow an attacker to execute arbitrary code.
CVE-2021-22659   2021-03-25    7.5              Rockwell Automation MicroLogix 1400 Version 21.6 and below may
                                                allow a remote unauthenticated attacker to send a specially crafted
                                                Modbus packet allowing the attacker to retrieve or modify random
                                                values in the register. If successfully exploited, this may lead to a buffer
                                                overflow resulting in a denial-of-service condition. The FAULT LED will
                                                flash RED and communications may be lost. Recovery from denial-of-
                                                service condition requires the fault to be cleared by the user.
CVE-2021-27440   2021-03-25    7.5              The software contains a hard-coded password it uses for its own
                                                inbound authentication or for outbound communication to external
                                                components on the Reason DR60 (all firmware versions prior to
                                                02A04.1).
CVE-2021-27438   2021-03-25    6.5              The software contains a hard-coded password it uses for its own
                                                inbound authentication or for outbound communication to external
                                                components on the Reason DR60 (all firmware versions prior to
                                                02A04.1).
CVE-2021-27454   2021-03-25    4.6              The software performs an operation at a privilege level higher than the
                                                minimum level required, which creates new weaknesses or amplifies the
                                                consequences of other weaknesses on the Reason DR60 (all firmware
                                                versions prior to 02A04.1).
CVE-2021-20586   2021-01-29    7.8              Resource management errors vulnerability in a robot controller of
                                                MELFA FR Series(controller "CR800-*V*D" of RV-*FR***-D-* all versions,
                                                controller "CR800-*HD" of RH-*FRH***-D-* all versions, controller
                                                "CR800-*HRD" of RH-*FRHR***-D-* all versions, controller "CR800-*V*R
                                                with R16RTCPU" of RV-*FR***-R-* all versions, controller "CR800-*HR
                                                with R16RTCPU" of RH-*FRH***-R-* all versions, controller "CR800-
                                                *HRR with R16RTCPU" of RH-*FRHR***-R-* all versions, controller
                                                "CR800-*V*Q with Q172DSRCPU" of RV-*FR***-Q-* all versions,
                                                controller "CR800-*HQ with Q172DSRCPU" of RH-*FRH***-Q-* all
                                                versions, controller "CR800-*HRQ with Q172DSRCPU" of RH-*FRHR***-
                                                Q-* all versions) and a robot controller of MELFA CR Series(controller
                                                "CR800-CVD" of RV-8CRL-D-* all versions, controller "CR800-CHD" of RH-
                                                *CRH**-D-* all versions) as well as a cooperative robot
                                                ASSISTA(controller "CR800-05VD" of RV-5AS-D-* all versions) allows a
                                                remote unauthenticated attacker to cause a DoS of the execution of the
                                                robot program and the Ethernet communication by sending a large
                                                amount of packets in burst over a short period of time. As a result of
                                                DoS, an error may occur. A reset is required to recover it if the error
                                                occurs.
CVE-2021-20987                 9.0              A denial of service and memory corruption vulnerability was found in
                  2021-02-16
                                                Hilscher EtherNet/IP Core V2 prior to V2.13.0.21that may lead to code
                                                injection through network or make devices crash without recovery.

                                                                                                                               5
También puede leer