Hospira Symbiq Infusion System Vulnerability

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on June 23, 2015, and is being released to the NCCIC/ICS-CERT web site. Independent researcher Billy Rios identified a vulnerability in Hospira’s Symbiq Infusion System, which can be exploited to remotely control th...

Schneider Electric Wonderware System Platform Vulnerabilities

OVERVIEW Ivan Sanchez of WiseSecurity Team has identified a fixed search path vulnerability in Schneider Electric’s Wonderware InTouch, Application Server, Historian, and SuiteLink applications, which are part of the Wonderware System Platform suite. Schneider Electric has produced a patch that...

Wind River VXWorks TCP Predictability Vulnerability in ICS Devices (Update B)

OVERVIEW This updated advisory is a follow-up to the updated advisory titled ICSA-15-169-01A Wind River VxWorks TCP Predictability Vulnerability in ICS Devices that was published November 5, 2015, on the NCCIC/ICS-CERT web site. Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a...

Schneider Electric StruxureWare Building Expert Plaintext Credentials Vulnerability

OVERVIEW Ashish Kamble of Qualys Security and Eireann Leverett have identified authentication, denial of service, and cross-site scripting vulnerabilities in GarrettCom’s Magnum 6k and Magnum 10k product lines. GarrettCom has produced new firmware versions to mitigate these vulnerabilities. Ashis...

RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-15-162-01 RLE Nova‑Wind Turbine HMI Unsecure Credentials Vulnerability that was published June 11, 2015, on the NCCIC/ICS-CERT web site. Independent researcher Maxim Rupp has identified an unsecure credential...

Hospira Plum A+ and Symbiq Infusion Systems Vulnerabilities

OVERVIEW Independent researcher Billy Rios has identified vulnerabilities in Hospira’s Plum A+ Infusion System that are similar to vulnerabilities identified in Hospira’s LifeCare PCA Infusion System discussed in advisory, ICSA-15-125-01B Hospira LifeCare PCA Infusion System Vulnerabilities...

Sinapsi eSolar Light Plaintext Passwords Vulnerability

OVERVIEW Independent researcher Maxim Rupp has identified plain text passwords in Sinapsi’s eSolar Light application. Sinapsi has produced a new version to mitigate this vulnerability. AFFECTED PRODUCTS The following Sinapsi eSolar Light versions are affected: Sinapsi eSolar Light firmware versio...

N-Tron 702W Hard-Coded SSH and HTTPS Encryption Keys (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-15-160-01 N-Tron 702W Hard-Coded SSH and HTTPS Encryption Keys that was published June 9, 2015, on the NCCIC/ICS-CERT web site. Independent researcher Neil Smith has identified hard-coded SSH and HTTPS encryption...

XZERES 442SR Wind Turbine CSRF Vulnerability

OVERVIEW Independent researcher Maxim Rupp has identified a cross-site request forgery CSRF vulnerability in XZERES’s 442SR turbine generator operating system OS. XZERES has produced a patch to mitigate this vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS The...

Network Time Protocol Vulnerabilities (Supplement)

OVERVIEW This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-353-01 Network Time Protocol Vulnerabilities that was published December 19, 2014, on the ICS‑CERT web site. Please refer to the original advisory for all the details of the vulnerabilities. The purpose o...

Network Time Protocol Vulnerabilities (Supplement Update A)

OVERVIEW --------- Begin Update A Part 1 of 2 -------- This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-353-01C Network Time Protocol Vulnerabilities that was published February 5, 2015, on the ICS‑CERT web site. --------- End Update A Part 1 of 2 ----------...

Beckwith Electric TCP Initial Sequence Vulnerability

OVERVIEW Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, have identified a TCP initial sequence numbers vulnerability in two of Beckwith Electric’s...

Moxa SoftCMS Buffer Overflow Vulnerability

OVERVIEW NCCIC/ICS-CERT received a report from HP’s Zero Day Initiative ZDI concerning a buffer overflow vulnerability in Moxa’s SoftCMS software package. This vulnerability was reported to ZDI by security researcher Ariele Caltabiano. Moxa has produced a new version that mitigates this...

IDS RTU 850 Directory Traversal Vulnerability

OVERVIEW Independent researchers Benjamin Kahler and Sebastian Kraemer of HSASec have identified a directory traversal vulnerability in IDS RTU 850C. IDS has produced a new module that mitigates this vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS The following ID...

Mitsubishi Electric MELSEC FX-Series Controllers Denial of Service

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on May 26, 2015, and is being released to the NCCIC/ICS-CERT web site. Ralf Spenneberg of OpenSource Security has identified a denial of service DoS vulnerability in the Mitsubishi Electric Automation, Inc.,...

Schneider Electric OFS Server Vulnerability (Update A)

OVERVIEW --------- Begin Update A Part 1 of 4 -------- This updated advisory is a follow-up to the original advisory titled ICSA-15-141-01 Schneider Electric OFS Server Vulnerability that was published May 21, 2015, on the NCCIC/ICS-CERT web site. Ivan Sanchez from Nullcode Team has identified tw...

Rockwell Automation RSView32 Weak Encryption Algorithm on Passwords

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on May 12, 2015, and is being released to the NCCIC/ICS-CERT web site. Rockwell Automation has produced a patch to mitigate a password encryption vulnerability in RSView32. Information Security Analysts Vladimir...

Hospira LifeCare PCA Infusion System Vulnerabilities

OVERVIEW OSIsoft has identified and reported to NCCIC/ICS-CERT a default permissions vulnerability in PI AF product. OSIsoft has produced a mitigation plan to remove this vulnerability. This vulnerability could be exploited remotely. AFFECTED PRODUCTS OSIsoft reports that the vulnerability affect...

Hospira LifeCare PCA Infusion System Vulnerabilities

OVERVIEW This updated advisory is a follow-up to the updated advisory titled ICSA-15-125-01A Hospira LifeCare PCA Infusion System Vulnerabilities that was published May 13, 2015, on the NCCIC/ICS-CERT web site. --------- Begin Update B Part 1 of 9 -------- Independent researcher Billy Rios has...

Hospira LifeCare PCA Infusion System Vulnerabilities

OVERVIEW Independent researcher Billy Rios has identified an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira’s LifeCare PCA Infusion System, which NCCIC/ICS-CERT has been coordinating with Hospira since May 2014. This advisory is...

Opto 22 Multiple Product Vulnerabilities

OVERVIEW Ivan Sanchez from Nullcode Team has identified two buffer overflow vulnerabilities that are present in Opto 22’s PAC Project Professional, PAC Project Basic, OptoOPCServer, OptoDataLink, PAC Display Basic, and PAC Display Professional products. Opto 22 has released new versions that...

Emerson AMS Device Manager SQL Injection Vulnerability

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on April 21, 2015, and is being released to the NCCIC/ICS-CERT web site. Emerson Process Management has identified an SQL injection vulnerability in its AMS Device Manager application. Emerson has produced a patch...

Rockwell Automation RSLinx Classic Vulnerability

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on April 21, 2015, and is being released to the NCCIC/ICS-CERT web site. Ivan Sanchez of WiseSecurity Team has identified a stack-based buffer overflow vulnerability in Rockwell Automation’s OPCTest.exe, which is a...

Siemens SIMATIC HMI Devices Vulnerabilities (Update E)

OVERVIEW This updated advisory is a follow-up to the updated advisory titled ICSA-15-099-01D Siemens SIMATIC HMI Devices Vulnerabilities that was published September 10, 2015, on the NCCIC/ICS‑CERT web site. Siemens has identified three vulnerabilities in its SIMATIC HMI devices. These...

Moxa VPort ActiveX SDK Plus Stack-Based Buffer Overflow Vulnerability

OVERVIEW HP’s Zero Day Initiative ZDI reports that independent researcher Ariele Caltabiano has identified a stack-based buffer overflow vulnerability in the Moxa VPort ActiveX SDK Plus application. Moxa has produced an update that mitigates this vulnerability. This vulnerability could be exploit...

Schneider Electric VAMPSET Software Buffer Overflow Vulnerability

OVERVIEW Schneider Electric has notified NCCIS/ICS-CERT of a buffer overflow vulnerability in the Schneider Electric VAMPSET software product. Ricardo Narvaja and Joaquín Rodríguez of Core Security reported this vulnerability directly to Schneider Electric. Schneider Electric has published a...

Hospira MedNet Vulnerabilitie

OVERVIEW Independent researcher Billy Rios has identified four vulnerabilities in Hospira’s MedNet server software. Hospira has released a new version of the MedNet software and provided mitigation recommendations that mitigate the reported vulnerabilities. Three of the four vulnerabilities could...

Inductive Automation Ignition Vulnerabilities

OVERVIEW Evgeny Druzhinin, Alexey Osipov, Ilya Karpov, and Gleb Gritsai of Positive Technologies have identified several vulnerabilities in Inductive Automation’s Ignition Software. Inductive Automation has produced a patch that mitigates these vulnerabilities. These vulnerabilities could be...

Ecava IntegraXor DLL Vulnerabilities

OVERVIEW Security researcher Praveen Darshanam has identified two DLL loading vulnerabilities in Ecava’s IntegraXor SCADA Server. Ecava has produced a patch that mitigates these vulnerabilities. Praveen Darshanam has tested the patch to validate that it resolves the vulnerabilities. AFFECTED...

Siemens ROS Improper Input Validation (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-14-087-01 Siemens ROS Improper Input Validation that was published March 28, 2014, on the NCCIC/ICS-CERT web site. Researcher Aivar Liimets from Martem Telecontrol Systems reported an improper input validation...

Schneider Electric Serial Modbus Driver Buffer Overflow (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-14-086-01A Schneider Electric Serial Modbus Driver Buffer Overflow that was published March 27, 2014, on the NCCIC/ICS-CERT web site. Carsten Eiram of Risk-Based Security has identified a stack-based buffer overflo...

Festo CECX-X-(C1/M1) Controller Vulnerabilities

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on March 25, 2014, and is now being released to the NCCIC/ICS-CERT web site. K. Reid Wightman of IOActive, Inc. has identified vulnerabilities in Festo’s CECX-X-C1 and CECX-X-M1 controllers. Festo has decided not to...

Advantech WebAccess Vulnerabilities

OVERVIEW This advisory is a follow-up to the original advisory titled “ICSA-14-079-03P Advantech WebAccess Vulnerabilities” that was posted to the US-CERT secure Portal library March 20, 2014. Researchers working with HP’s Zero Day Initiative ZDI, Andrea Micalizzi, aka rgod, Tom Gallagher, and an...

Siemens SIMATIC S7-1200 Improper Input Validation Vulnerabilities

OVERVIEW Siemens has reported two improper input validation vulnerabilities discovered separately by Prof. Dr. Hartmut Pohl of softScheck GmbH and Arne Vidström of Swedish Defence Research Agency FOI in Siemens’ SIMATIC S7-1200 PLC. Siemens has produced a new version that mitigates these...

Siemens SIMATIC S7-1200 Vulnerabilities

OVERVIEW Siemens, Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from the FU Berlin’s work team SCADACS, and Positive Technologies’ researchers Alexey Osipov, and Alex Timorin have identified six vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens h...

Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities

OVERVIEW Siemens and Positive Technology researchers Yury Goltsev, Llya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin have identified nine firmware vulnerabilities in the Siemens SIMATIC S7-1500 CPU Firmware. Siemens has produced a patch that mitigates these vulnerabilities. These...

Schneider Electric StruxureWare SCADA Expert ClearSCADA Parsing Vulnerability

OVERVIEW Andrew Brooks identified and reported to The Zero Day Initiative ZDI a File Parsing Vulnerability: Schneider Electric StruxureWare SCADA Expert ClearSCADA ServerMain.exe OPF File Parsing Vulnerability. Schneider Electric has prepared workarounds and helped develop security upgrades for a...

Yokogawa CENTUM CS 3000 Vulnerabilities (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-14-070-01 Yokogawa CENTUM CS 3000 Vulnerabilities that was published March 11, 2014, on the NCCIC/ICS-CERT web site. Juan Vazquez of Rapid7 Inc.,Rapid7 Inc., http://www.rapid7.com, web site last accessed March 11,...

Schneider Electric OFS Buffer Overflow Vulnerability

OVERVIEW Schneider Electric has reported to NCCIC/ICS-CERT a Stack Buffer Overflow vulnerability supplied with the Schneider Electric OPC Factory Server OSF. Independent researcher known as 0x7A240E67 submitted the vulnerability to ZDI, who provided coordination with the vendor and ICS-CERT...

Schneider Electric Floating License Manager Vulnerability

OVERVIEW Schneider Electric had become aware of an “unquoted service path” vulnerability in the Schneider Electric Floating License Manager, produced a patchSchneider Electric Security Notification SEVD 2014-015-01v3,...

NTP Reflection Attack

OVERVIEW NCCIC/ICS-CERT has been following the increase in denial-of-service DoS attacks using Network Time Protocol NTP Reflection. This type of attack provides an adversary the ability to generate high volume distributed denial of service DDoS traffic to target web sites or public‑facing device...

Siemens RuggedCom Uncontrolled Resource Consumption Vulnerability (Update B)

OVERVIEW This updated advisory is a follow-up to the updated advisory titled ICSA-14-051-03A Siemens RuggedCom Uncontrolled Resource Consumption Vulnerability that was published March 18, 2014, on the NCCIC/ICS-CERT web site. Researchers Ling Toh Koh, Ng Yi Teng, Seyed Dawood Sajjadi Torshizi, Ry...

ICONICS GENESIS32 Insecure ActiveX Control

OVERVIEW NCCIC/ICS-CERT discovered a vulnerability in the ICONICS GENESIS32 application during resolution of unrelated products. ICONICS has produced a patch for all vulnerable versions of its GENESIS32 product. ICONICS GENESIS32 Version 9.0 and newer are not vulnerable to this ActiveX...

Mitsubishi Electric Automation MC-WorX Suite Unsecure ActiveX Control

OVERVIEW This advisory is a follow-up to the original alert, titled ICS-ALERT-13-259-01 Mitsubishi MC-WorX Suite Unsecure ActiveX Control,ICS-ALERT-13-259-01 Mitsubishi MC-WorkX Suite Insecure ActiveX Control, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-259-01, web site last accessed February...

Bash Command Injection Vulnerability (Supplement)

OVERVIEW This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-269-01 Bash Command Injection Vulnerability and all following updates that were originally published September 26, 2014, on the ICS-CERT web site and posted to the US-CERT secure Portal library. Please...

Siemens SIMATIC WinCC OA Multiple Vulnerabilities

OVERVIEW Researchers Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies have identified multiple vulnerabilities in the Siemens SIMATIC WinCC Open Architecture OA application. Siemens has produced updates that mitigate these vulnerabilities. These vulnerabilities could be...

3S CoDeSys Runtime Toolkit NULL Pointer Dereference

OVERVIEW Independent researcher Nicholas Miles has identified a NULL pointer dereference vulnerability in Smart Software Solutions 3S CoDeSys Runtime Toolkit application. 3S has produced an update that mitigates this vulnerability. Nicholas Miles has tested the update to validate that it resolves...

GE Proficy Vulnerabilities

OVERVIEW Researchers amisto0x07 and Z0mb1E of Zero Day Initiative ZDI have identified two vulnerabilities in the General Electric GE Proficy human-machine interface/supervisory control and data acquisition HMI/SCADA - CIMPLICITY application. GE has released security advisories, GEIP13-05 and...

Rockwell RSLogix 5000 Password Vulnerability

OVERVIEW This advisory was originally posted to the US-CERT secure Portal library on January 21, 2014, and is now being released to the NCCIC/ICS-CERT Web site. Independent researcher Stephen Dunlap has identified a password vulnerability in the Rockwell Automation RSLogix 5000 software. Rockwell...

Ecava IntegraXor Buffer Overflow Vulnerability

OVERVIEW This advisory is a follow-up to the alert titled ICS-ALERT-14-015-01 Ecava IntegraXor Buffer Overflow Vulnerability that was published January 15, 2014, on the NCCIC/ICS-CERT Web site. Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXo...