Redcon

07/10/2019

Please be aware of vulnerabilities related to multiple Yokogawa products according to CISA.
Affected Model: Exaopc (R1.01.00 - R3.77.00), Exaplog (R1.10.00 - R3.40.00), Exaquantum (R1.10.00 - R3.02.00), Exaquantum/Batch (R1.01.00 - R2.50.40), Exasmoc (All Revisions), Exarqe (All Revisions), GA10 (R1.01.01 - R3.05.01), InsightSuiteAE (R1.01.00 - R1.06.00)

Applicability: Used in multiple industrial control and automation systems

Protocols: NIL

Vulnerability:

Successful exploitation of this vulnerability could allow an attacker to execute malicious files. The exploitation is a low skill level and requires the attacker to have authentication credentials and successfully authenticate on the system. This vulnerability cannot be exploited remotely.
Yokogawa has provided countermeasures on the affected products.

Common Vulnerabilities & Exploits (CVE) code: CVE-2019-6008

Criticality: CVSS score of 8.4, HIGH [CVSS vector string: https://www.first.org/cvss/calculator/3.0 :3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]

Researchers: Vendor Self-Declared

Sources:
- https://www.us-cert.gov/ics/advisories/icsa-19-274-02
- https://isssource.com/yokogawa-countermeasures-for-vulnerability/
- https://www.cybersecurity-help.cz/vdb/SB2019100204?affChecked=1
- https://web-material3.yokogawa.com/1/28032/files/YSAR-19-0003-E.pdf?_ga=2.240459584.213272689.1570352483-1565894553.1567324952
It is advised for IACS End-Users to check with the Yokogawa for further updates. It is advised for IACS End-Users to perform proper impact analysis and risk assessment prior to deploying defensive measures.

For an archived list of published threat advisory, please visit http://www.redconsa.sg/TA/index.html.

Hover over metric group names, metric names and metric values for a summary of the information in the official CVSS v3.0 Specification Document. The Specification is available in the list of links on the left, along with a User Guide providing additional scoring guidance, an Examples document of sco...

01/10/2019

https://www.eventbrite.sg/e/cyber-security-standards-workshop-tickets-72657447381

This workshop aims to bring cybersecurity awareness among Singapore companies embarking on the Industry 4.0 journey.

19/09/2019

https://www.eventbrite.sg/e/cyber-security-standards-workshop-tickets-72657447381

RC is proud to be part of the standards working committee and will be presenting in Session 2. The event is held in conjunction with Govware 2019

This workshop aims to bring cybersecurity awareness among Singapore companies embarking on the Industry 4.0 journey.

16/09/2019

https://youtu.be/E6Do_zVL8_A

https://www.cnbc.com/2019/09/14/saudi-arabia-is-shutting-down-half-of-its-oil-production-after-drone-attack-wsj-says.html

https://www.todayonline.com/world/instant-view-reactions-attack-saudi-oil-facilities

Drone attacks claimed by Yemen's Houthi rebels have caused fires at two major facilities run by Saudi Aramco, Saudi Arabia's state-owned oil giant. Citing an...

13/09/2019

This is an update to IACS - 20190724-1 - Critical Vulnerabilities in the Latest Generation of the Siemens Proprietary Cryptographic Protocol in the S7.

Affected Model: SIMATIC ET 200SP Open Controller CPU 1515SP PC (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7-1200 CPU family (All versions >= V4.0), SIMATIC S7-1500 CPU family (All versions), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions) [UPDATE-20190912]

Applicability: Used in multiple industrial control and automation systems

Protocols: Latest proprietary cryptographic protocol in the S7

Vulnerability:

Vulnerabilities in the Siemens S7 Simatic architecture allows spoofed TIA engineering station to manipulate operations of the affected PLC by remotely starting and stopping the PLC , including downloading of rogue command logic to the S7 PLC. The rogue logic is obfuscated in the PLC, and would only show legitimate PLC source code even if checked by a process engineer. Therefore the malicious code will continue to run in the background and issuing rogue commands to the PLC.

Siemens advises enabling the "access protection" feature in its Simatic

S7-1200 and S7-1500 to prevent "unauthorized modifications" of the devices.

It is explained by researchers from Tel Aviv University that Siemens S7 PLCs share same crypto key-pair.

Common Vulnerabilities & Exploits (CVE) code: CVE-2019-10929 [UPDATE-20190912]

Criticality: CVSS score of 5.9, MEDIUM [UPDATE-20190912]

Researchers: Tel Aviv University

Sources:
- https://www.darkreading.com/vulnerabilities---threats/siemens-s7-plcs-share-same-crypto-key-pair-researchers-find-/d/d-id/1335452 [UPDATE-20190912]
-https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs-wp.pdf [UPDATE-20190912]
-https://cert-portal.siemens.com/productcert/pdf/ssa-232418.pdf [UPDATE-20190912]
- https://nvd.nist.gov/vuln/detail/CVE-2019-10929 [UPDATE-20190912]
It is advised for IACS End-Users to check with the Siemens ProductCERT to for further updates, and if their similar products are affected by the same vulnerabilities.

For an archived list of published threat advisory, please visit http://www.redconsa.sg/TA/index.html.

To subscribe, please send email to [email protected] with Subject: Subscribe Me

Researchers at Black Hat USA reveal how security authentication weaknesses in popular Siemens ICS family let them control a PLC.

13/09/2019

Please be aware of 2 critical vulnerabilities related to Microsoft Operating System which was recently disclosed by zerodayinitiative.

Microsoft OS is widely adopted by many OT manufacturers in their products. It is widely proliferated across multiple industries such as aerospace and defense, medical devices, industrial equipment, robotics, energy, transportation, network infrastructure, automotive, and consumer electronics.

Affected OS: Windows 7 to Windows Server 2019
Applicability: Broad spectrum
Protocols: Nil
Vulnerability:
An authenticated cyber attacker with low privilege can exploit both Winsock (ws2ifsl.sys) and CLFS vulnerabilities and escalates from User level to Administrator level access, leading to system compromise and takeover.
Both vulnerabilities are currently known to be exploited, likely already weaponised.
Common Vulnerabilities & Exploits (CVE) code:
CVE-2019-1215
CVE-2019-1214
Criticality: Under analysis by NIST
Researchers: zerodayinitiative
Sources:
- https://www.zerodayinitiative.com/blog/2019/9/10/the-september-2019-security-update-review
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1215
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1214

It is advised for both IT and OT End-Users plan patch rollout as soon as possible. It is advisable to perform proper impact analysis and risk assessment prior to deploying defensive measures.

For an archived list of published threat advisory, please visit http://www.redconsa.sg/TA/index.html.

To subscribe, please send email to [email protected] with Subject: Subscribe Me

September is upon us and with it brings the latest security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for September 2019 Adobe had a small release for

04/09/2019

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass

A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on the managed Cisco IOS XE device. The vulnerability is due to an improper check performed by the area of code that manages the REST API...

04/09/2019

https://www.youtube.com/watch?v=8UI7oicMisY&feature=youtu.be

https://www.securityweek.com/usbanywhere-bmc-flaws-expose-supermicro-servers-remote-attacks

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/

04/09/2019

https://www.xda-developers.com/camscanner-app-injecting-malware/

CamScanner has been caught using an advertising library that injected malicious code onto devices, after which Google has removed it from the Play Store.

19/08/2019

https://www.singaporestandardseshop.sg/Product/GetPdf?fileName=190611103540SS%20IEC%2062443-4-1-2018%20Preview.pdf&pdtid=1bd92e5a-b291-42ca-9571-d9d49e7af6e0

15/08/2019

https://thehackernews.com/2019/08/windows-rdp-wormable-flaws.html?m=1

4 New BlueKeep-like 'Wormable' Windows Remote Desktop Flaws Discovered ( CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226)

09/08/2019

Happy 54th Birthday Singapore!