Vulnerabilidades ICS Termómetro CCI

2021- 8

Tabla de contenido

Introducción .................................................................................................................................... 4

Novedades 2021 .............................................................................................................................. 4

Fabricantes y debilidades ICS ........................................................................................................... 5

Nuevos fabricantes .......................................................................................................................... 5

Nuevas debilidades .......................................................................................................................... 6

Nuevas alertas ................................................................................................................................. 7

Mapa de riesgo .............................................................................................................................. 10

Cambios en el riesgo de fabricante ................................................................................................ 11

ANEXO – I: Cálculo del mapa de riesgo ........................................................................................... 12

ANEXO II – Vulnerabilidades publicadas por el NIST desde el último termómetro CCI ................ 13

ANEXO III – Vulnerabilidades del nuevo fabricante (Bosch) en 2021 ............................................... 16

Profesional de la Ciberseguridad industrial desde hace más de diez años en distintas empresas como Schneider Electric, S21sec, EY, SecurityMatters, Forescout, Telefónica y actualmente en TITANIUM Industrial Security.

Miembro activo del ecosistema del Centro de Ciberseguridad Industrial (CCI) desde 2013, profesional Nivel Negro y participando como autor y revisor de distintos estudios y documentos realizados por este.

4

Introducción Desde la publicación del cuaderno “Una década de vulnerabilidades ICS” el 4 de mayo de 2020, se han seguido publicando nuevas vulnerabilidades sobre sistemas ICS, lo que ha hecho variar la exposición al riesgo de los fabricantes recogidos en dicho cuaderno.

Desde el CCI queremos mantener actualizada esta información para proporcionar una visión de la evolución de estas vulnerabilidades para que el ecosistema pueda utilizarlas cómo precise en una publicación que denominaremos Termómetro de vulnerabilidades ICS del CCI.

En cada actualización publicaremos:

• Evolución del número de fabricantes de sistemas de control incluidos en el termómetro

para el periodo en curso • Evolución de vulnerabilidades y alertas de los fabricantes de control incluidos en el termómetro • El mapa de calor de exposición al riesgo de los fabricantes, actualizado a fecha de publicación. • Comentarios acerca de la evolución del mapa de riesgo.

Novedades 2021 Para adaptarnos a la creciente casuística de vulnerabilidades públicas que afectan a varios fabricantes, en el año 2021 se aplicará un nuevo criterio, publicando cada uno de los fabricantes afectados por esta única vulnerabilidad (CVE). Para ser coherentes con este nuevo acercamiento, en 2021 hablaremos de “Debilidades ICS” (ICS Weaknesses) para dar cabida a estas vulnerabilidades multifabricante.

5

Fabricantes y debilidades ICS

Nuevos fabricantes En esta edición del termómetro CCI, se incluyen 2 nuevos fabricantes y su número pasa a 46 en 2021.

Riesgo Bajo Riesgo Medio Riesgo Alto Riesgo Muy Alto N/A Bosch

Morpho (IDEMIA)

N/A N/A

El número de fabricantes ICS monitorizados es clave para entender la volumetría de debilidades detectadas cada año, y explica las diferencias que podemos encontrar en estudios similares realizados por otras compañías y organizaciones, dado que el número de debilidades depende del conjunto de fabricantes contemplados. Cómo ya expliqué en el documento que dio origen al termómetro CCI en Mayo de 2020, el conjunto de fabricantes original fue el contemplado por el ICS-CERT, aunque a lo largo de este año y medio, este conjunto se ha ido aumentando para tener en cuenta las soluciones más implantadas en entornos industriales del ecosistema CCI. Este es el caso de Bosch con 1 nueva debilidad publicada sobre sus cámaras IP. Este fabricantes ha visto publicadas 20 debilidades en 2021, casi todas asociadas a sus soluciones de seguridad física (Cámaras IP de vigilancia, sistemas de megafonía en red y sistemas de detección de incendios). Ver detalle en ANEXO III. Morpho (IDEMIA) registra 3 debilidades (CVE-2021-35520, CVE-2021-35521 y CVE-2021-35522 ), siendo la última una alerta por ser explotable en red, ser poco compleja y provocar la total indisponibilidad del dispositivo. Las tres debilidades hacen referencia a un dispositivo de control de acceso biométrico utilizado también en seguridad física.

6

Nuevas debilidades El número de vulnerabilidades ICS publicadas y totalmente caracterizadas por el NIST desde la última actualización es de 75. Hay que explicar que este inusual aumento proviene de la inclusión de Bosch como fabricante de sistemas de control. El ICS-CERT, cuya lista de fabricantes supuso el conjunto inicial a monitorizar en el termómetro CCI, no contempla este fabricante. Intuyo que esto es por la menor implantación en USA de sus soluciones. Sin embargo, en Europa la situación es muy distinta y grandes fabricantes, como Phoenix Contact, utilizan sus productos (de origen Rexroth) en sus soluciones de automatización. El impacto de su inclusión en las cifras de 2021 es de 20 nuevas debilidades y 2 alertas. De las 55 restantes, un único fabricante, CODESYS, acumula el 20% de este número con 11 CVEs publicadas en Agosto. Es de destacar que a esta fecha, se han publicado más vulnerabilidades sobre sus productos (26) que en todo el año 2020 (7). Acumula un CVSS V2 de 6.4 en los últimos 10 años.

Siemens suma otras 10 debilidades publicadas en Agosto (1 de ellas considerada alerta) y alcanza las 169 vulnerabilidades en 2021. Un mes más, sigue encabezando el mapa de exposición al riesgo. En el caso de Mitsubishi Electric, la publicación de 6 vulnerabilidades este mes (con 2 Alertas), le coloca en la zona de riesgo medio y ya lleva 12 debilidades publicadas en 2021 sobre sus productos.

Fatek suma otras 3 debilidades sobre su producto Automation FvDesigner, y ya acumula 12 en 2021. Morpho (IDEMIA) también ha visto publicadas 3 debilidades (una de ellas alertas) sobre dos de sus series de productos, lo que hace sospechar de otro caso de amplificación de vulnerabilidades por reutilización de librerías y/o módulos. Finalmente, el producto R-SeeNet de Advantech suma 1 debilidad (considerada Alerta) en Agosto de 2021, lo que afecta a su exposición al riesgo cómo fabricante. Superado el ecuador de 2021, podemos constatar que la tendencia en la investigación de debilidades en los sistemas de control utilizados en múltiples sectores, sigue creciendo de manera sostenida.

7

Nuevas alertas Este mes, el NIST ha publicado 5 nuevas alertas de fabricante, pero la inclusión de Bosch en la lista del termómetro, introduce dos nuevas Alertas publicadas en 2021. (En el ANEXO III se proporciona información en detalle de todas ellas) Recordamos que se clasifican cómo alertas dado que la explotación de la vulnerabilidad presenta una complejidad baja, tiene cómo vector de acceso la red y puede causar una total pérdida de servicio. (Según la clasificación CVSS V2, para permitir la clasificación histórica de debilidades en productos más antiguos). Mitsubishi Electric ha visto publicadas 2 alertas sobre 2 de sus series de productos:

Mitsubishi Electric GT27 Mitsubishi Electric G50A En ambos casos, el envío de paquetes IP maliciosos puede dejar el dispositivo asilado y su reconexión a la red de control, necesitaría de un reinicio del dispositivo.

CVE Date published CVSS Warning Description

CVE-2021-20592 2021-08-05 7.8

Missing synchronization vulnerability in GOT2000 series GT27 model communication driver versions 01.19.000 through 01.39.010, GT25 model communication driver versions 01.19.000 through 01.39.010 and GT23 model communication driver versions 01.19.000 through 01.39.010 and GT SoftGOT2000 versions 1.170C through 1.256S allows a remote unauthenticated attacker to cause DoS condition on the MODBUS/TCP slave communication function of the products by rapidly and repeatedly connecting and disconnecting to and from the MODBUS/TCP communication port on a target. Restart or reset is required to recover.

CVE-2021-20595 2021-07-13 8.5 Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.

8

En el caso de Morpho (IDEMIA), 1 nueva alerta ha sido publicada por el NIST este mes sobre sus productos Morpho Wave y VisionPass:

Morpho Wave VisionPass Ambos sistemas proporcionan soluciones de seguridad física (Control de acceso), por lo que sería importante su rápida actualización a versiones no vulnerables.

CVE Date published CVSS Warning Description

CVE-2021-35522 2021-07-22 9.0 A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before 4.9.7 allows remote attackers to achieve code execution, denial of services, and information disclosure via TCP/IP packets.

El problema está relacionado con el stack TCP/IP que ambos dispositivos utilizan. No parece que las recomendaciones sobre evaluaciones de seguridad de los productos en la fase de diseño, adquisición y pruebas de aceptación, esté prosperando mucho. Advantech vuelve a sorprendernos con 1 nueva alerta sobre su producto R-SeeNet ( y ya van 5 en 2021)

CVE Date published CVSS Warning Description

CVE-2021-21805 2021-08-05 10.0 An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.

La debilidad viene motivada por la escasa verificación de los parámetros recibidos en las peticiones HTTP. Para ser más académicos:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

9

Siemens acumula 1 nueva alerta este mes sobre su producto SINEC NMS:

CVE Date published CVSS Warning Description

CVE-2021-35721 2021-08-10 9.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The affected application incorrectly neutralizes special elements when creating batch operations which could lead to command injection. An authenticated remote attacker with administrative privileges could exploit this vulnerability to execute arbitrary code on the system with system privileges.

El problema es parecido al de la aplicación de Advantech:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

10

Mapa de riesgo 31 de Agosto de 2021

Circutor

Digitek Motorola Solutions

Pro-face Zebra Industrial

Advantech

Bosch Hilscher

Miitsubishi Electric Moxa

Panasonic Phoenix Contact

Schneider Electric

Siemens

Beckhoff Belden

CODESYS Delta Electronics

Digi Eaton eWON Fatek

Fuji Electric Hirschmann Honeywell

Johnson Controls Kepware Omron

PTC (ThingWorx) Rockwell

Software Toolbox Wibu Systems

Wind River

Emerson GE

Mikrotik

ABB Philips ProSoft

RuggedCom SafeNet

SearchBlox Tesla Wago

Aveva

11

Cambios en el riesgo de fabricante Debido al alto número de debilidades publicadas por el NIST en Agosto sobre productos de Siemens ha hecho que su exposición al riesgo continue en el valor Muy Alto. Schneider Electric se vuelve a situar en la zona de riesgo Medio+ por un tema meramente estadístico en el cálculo del mapa de riesgo.

Bosch se situa directamente en la zona de riesgo Medio+ junto con otros fabricantes (Advantech, Hilscher, Mitsubishi Electric, Morpho, Moxa, Panasonic, Phoenix Contact y Schneider Electric).

El resto de los fabricantes mantienen su nivel en el mapa de calor cualitativo de exposición al riesgo.

12

ANEXO – I: Cálculo del mapa de riesgo Con objeto de mostrar de una manera gráfica y rápida la postura de cada fabricante en lo que se refiere al riesgo asociado a las vulnerabilidades publicadas, he seleccionado un formato gráfico muy común en la gestión de Riesgos: el mapa de calor. Este diagrama presenta distintos colores para representar el riesgo asociado de manera cualitativa y en cuatro rangos: Bajo, Medio, Alto y Muy Alto.

MUY ALTO

ALTO

MEDIO

BAJO

La posición de cada fabricante dentro del mapa depende de los valores obtenidos en dos parámetros asociados con la probabilidad (Número de CVEs publicados) y el impacto de dichos CVEs (Valor medio de CVSS). Para cada año, se ha calculado cada uno de estos valores entre 1 y 5.

• En el eje horizontal, se ha calculado el valor proporcional al número de CVEs publicados para ese fabricante en un año concreto en comparación con el fabricante con mayor número de CVEs.

• En el eje vertical se ha calculado el valor medio de CVSS de los CVEs publicados ese año y se ha dividido entre 2.

Para intentar dar una idea más cualitativa en lo que se refiere a la postura de cada fabricante, se han introducido dos correcciones en el cálculo:

• Si el fabricante tiene algún CVE ese año considerado cómo Alerta (Acceso por la red, complejidad baja e impacto completo en disponibilidad), se incrementa en una unidad el impacto (Eje vertical) y en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a este fabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.

• De la misma manera, si un fabricante tiene algún CVE ese año con un valor CVSS de 10.0, se incrementa en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a este fabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.

Se ha estudiado mediante distintas simulaciones que estas correcciones no suponen grandes alteraciones en la postura global del riesgo de ese fabricante y, sin embargo, presentan un diagnóstico cualitativo más ajustado.

13

ANEXO II – Vulnerabilidades publicadas por el NIST desde el último termómetro CCI

CVE Date

published CVSS V2

Warning Description

CVE-2021-31338 2021-08-19 4.6 A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0 SP1). Affected devices allow to modify configuration settings over an unauthenticated channel. This could allow a local attacker to escalate privileges and execute own code on the device.

CVE-2021-33721 2021-08-10 9.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The affected application incorrectly neutralizes special elements when creating batch operations which could lead to command injection. An authenticated remote attacker with administrative privileges could exploit this vulnerability to execute arbitrary code on the system with system privileges.

CVE-2021-20592 2021-08-05 7.8 Missing synchronization vulnerability in GOT2000 series GT27 model communication driver versions 01.19.000 through 01.39.010, GT25 model communication driver versions 01.19.000 through 01.39.010 and GT23 model communication driver versions 01.19.000 through 01.39.010 and GT SoftGOT2000 versions 1.170C through 1.256S allows a remote unauthenticated attacker to cause DoS condition on the MODBUS/TCP slave communication function of the products by rapidly and repeatedly connecting and disconnecting to and from the MODBUS/TCP communication port on a target. Restart or reset is required to recover.

CVE-2021-21805 2021-08-05 10.0 An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.

CVE-2021-35522 2021-07-22 9.0 A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before 4.9.7 allows remote attackers to achieve code execution, denial of services, and information disclosure via TCP/IP packets.

CVE-2021-20595 2021-07-13 8.5 Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.

CVE-2020-20221 2021-07-21 6.8 Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.

CVE-2021-21868 2021-08-18 6.8 An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21867 2021-08-18 6.8 An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-32939 2021-08-11 6.8 FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to an out-of-bounds write while processing project files, allowing an attacker to craft a project file that may permit arbitrary code execution.

CVE-2021-32947 2021-08-11 6.8 FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

CVE-2021-32931 2021-08-11 6.8 An uninitialized pointer in FATEK Automation FvDesigner, Versions 1.5.88 and prior may be exploited while the application is processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.

CVE-2021-32943 2021-08-10 7.5 The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

14

CVE Date published

CVSS V2

Warning Description

CVE-2021-37180 2021-08-10 6.8 A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). The PSKERNEL.dll library lacks proper validation while parsing user-supplied OBJ files that could cause an out of bounds access to an uninitialized pointer. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13775)

CVE-2021-37179 2021-08-10 6.8 A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). The PSKERNEL.dll library in affected application lacks proper validation while parsing user-supplied OBJ files that could lead to a use-after-free condition. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-13777)

CVE-2021-37172 2021-08-10 5.0 A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (V4.5.0). Affected devices fail to authenticate against configured passwords when provisioned using TIA Portal V13. This could allow an attacker using TIA Portal V17 or later versions to bypass authentication and download arbitrary programs to the PLC. The vulnerability does not occur when TIA Portal V13 SP1 or any later version was used to provision the device.

CVE-2020-28397 2021-08-10 5.0 A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions), SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All versions > V2.5), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect authorization check in the affected component, an attacker could extract information about access protected PLC program variables over port 102/tcp from an affected device when reading multiple attributes at once.

CVE-2021-25659 2021-08-10 5.0 A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0 SP9 Update 2). Sending specially crafted packets to port 4410/tcp of an affected system could lead to extensive memory being consumed and as such could cause a denial-of-service preventing legitimate users from using the system.

CVE-2021-37178 2021-08-10 4.3 A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML external entity injection vulnerability in the underlying XML parser could cause the affected application to disclose arbitrary files to remote attackers by loading a specially crafted xml file.

CVE-2021-33738 2021-08-10 4.3 A vulnerability has been identified in JT2Go (All versions < V13.2.0.2), Teamcenter Visualization (All versions < V13.2.0.2). The plmxmlAdapterSE70.dll library in affected applications lacks proper validation of user-supplied data when parsing PAR files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13405)

CVE-2021-33717 2021-08-10 4.3 A vulnerability has been identified in JT2Go (All versions < V13.2.0.1), Teamcenter Visualization (All versions < V13.2.0.1). When parsing specially crafted CGM Files, a NULL pointer deference condition could cause the application to crash. The application must be restarted to restore the service. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.

CVE-2020-21682 2021-08-10 4.3 A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.

CVE-2020-21681 2021-08-10 4.3 A global buffer overflow in the set_color component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.

CVE-2021-22676 2021-08-10 4.3 UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

CVE-2021-22674 2021-08-10 4.0 The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

CVE-2021-20597 2021-08-06 6.4 Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network traffic and obtaining credentials when registering user information in the target or changing a password.

CVE-2021-20598 2021-08-06 5.0 Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to lockout a legitimate user by continuously trying login with incorrect password.

CVE-2021-20594 2021-08-06 5.0 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions,

15

CVE Date published

CVSS V2

Warning Description

R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to acquire legitimate user names registered in the module via brute-force attack on user names.

CVE-2021-23849 2021-08-05 6.8 A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or opening a malicious website while being logged in into the camera.

CVE-2021-21863 2021-08-05 6.8 A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-36764 2021-08-04 5.0 In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.

CVE-2021-36765 2021-08-04 5.0 In CODESYS EtherNetIP before 4.1.0.0, specific EtherNet/IP requests may cause a null pointer dereference in the downloaded vulnerable EtherNet/IP stack that is executed by the CODESYS Control runtime system.

CVE-2021-33485 2021-08-03 7.5 CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow. CVE-2021-33486 2021-08-03 5.0 All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and

before version V3.5.17.10 have Improper Handling of Exceptional Conditions. CVE-2021-36763 2021-08-03 5.0 In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External

Parties. CVE-2021-21865 2021-08-02 6.8 A unsafe deserialization vulnerability exists in the PackageManagement.plugin

ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21866 2021-08-02 6.8 A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21864 2021-08-02 6.8 A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-29298 2021-07-30 2.6 Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module "fxVPStatcTcp.dll".

CVE-2021-29297 2021-07-30 2.6 Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll".

CVE-2020-20741 2021-07-23 7.5 Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if the credentials are incorrect.

CVE-2021-20596 2021-07-22 5.0 NULL Pointer Dereference in MELSEC-F Series FX3U-ENET firmware version 1.14 and prior, FX3U-ENET-L firmware version 1.14 and prior and FX3U-ENET-P502 firmware version 1.14 and prior allows a remote unauthenticated attacker to cause a DoS condition in communication by sending specially crafted packets. Control by MELSEC-F series PLC is not affected and system reset is required for recovery.

CVE-2021-35521 2021-07-22 4.9 A path traversal in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows remote authenticated attackers to achieve denial of services and information disclosure via TCP/IP packets.

CVE-2021-35520 2021-07-22 4.6 A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to achieve code execution, denial of services, and information disclosure via serial ports.

CVE-2021-22772 2021-07-21 7.5 A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T200 ((Modbus) SC2-04MOD-07000100 and earlier), Easergy T200 ((IEC104) SC2-04IEC-07000100 and earlier), and Easergy T200 ((DNP3) SC2-04DNP-07000102 and earlier) that could cause unauthorized operation when authentication is bypassed.

16

ANEXO III – Vulnerabilidades del nuevo fabricante (Bosch) en 2021

CVE Date published

CVSS V2 Warning Description

CVE-2021-23849 2021-08-05 6.8 A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or opening a malicious website while being logged in into the camera.

CVE-2021-23845 2021-06-18 6.8 This vulnerability could allow an attacker to hijack a session while a user is logged in the configuration web page. This vulnerability was discovered by a security researcher in B426 and found during internal product tests in B426-CN/B429-CN, and B426-M and has been fixed already starting from version 3.08 on, which was released on June 2019.

CVE-2021-23846 2021-06-18 4.3 When using http protocol, the user password is transmitted as a clear text parameter for which it is possible to be obtained by an attacker through a MITM attack. This will be fixed starting from Firmware version 3.11.5, which will be released on the 30th of June, 2021.

CVE-2021-23853 2021-06-09 7.5 In Bosch IP cameras, improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs.

CVE-2021-23847 2021-06-09 6.4 A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

CVE-2021-23854 2021-06-09 4.3 An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. This issue only affects versions 7.7x and 7.6x. All other versions are not affected.

CVE-2021-23848 2021-06-09 4.3 An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.

CVE-2021-23852 2021-06-09 4.0 An authenticated attacker with administrator rights Bosch IP cameras can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

CVE-2020-6790 2021-03-25 6.9 Calling an executable through an Uncontrolled Search Path Element in the Bosch Video Streaming Gateway installer up to and including version 6.45.10 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious exe in the same directory where the installer is started from.

CVE-2020-6786 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Recording Manager installer up to and including version 3.82.0055 for 3.82, up to and including version 3.81.0064 for 3.81 and 3.71 and older potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6785 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in Bosch BVMS and BVMS Viewer in versions 10.1.0, 10.0.1, 10.0.0 and 9.0.0 and older potentially allows an attacker to execute arbitrary code on a victim's system. This affects both the installer as well as the installed application. This also affects Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one 5000 and Bosch DIVAR IP all-in-one 7000 with installers and installed BVMS versions prior to BVMS 10.1.1.

CVE-2020-6787 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Client installer up to and including version 1.7.6.079 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6789 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Monitor Wall installer up to and including version 10.00.0164 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2020-6771 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same application directory as the portable IP Helper application.

CVE-2020-6788 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration Manager installer up to and including version 7.21.0078 potentially allows an attacker to

17

CVE Date published

CVSS V2

Warning Description

execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same directory where the installer is started from.

CVE-2019-11684 2021-02-26 10.0 Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. Prior releases of VRM software version 3.70 are considered unaffected. This vulnerability affects VRM v3.70.x, v3.71 < v3.71.0034 and v3.81 < 3.81.0050; DIVAR IP 5000 3.80 < 3.80.0039; BVMS all versions using VRM.

CVE-2020-6780 2021-01-26 4.0 Use of Password Hash With Insufficient Computational Effort in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows a remote attacker with admin privileges to dump the credentials of other users and possibly recover their plain-text passwords by brute-forcing the MD5 hash.

CVE-2020-6779 2021-01-26 10.0 Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system.

CVE-2020-6776 2021-01-14 6.8 A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface.

CVE-2020-6777 2021-01-14 3.5 A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an authenticated remote attacker with admin privileges to mount a stored Cross-Site-Scripting (XSS) attack against another user. When the victim logs into the management interface, the stored script code is executed in the context of his browser. A successful exploit would allow an attacker to interact with the management interface with the privileges of the victim. However, as the attacker already needs admin privileges, there is no additional impact on the management interface itself.