Today CISA’s NCCIC-ICS published two control system security
advisories for products from Mitsubishi and Johnson Controls. They also updated
three advisories for products from Mitsubishi, Schneider and multiple TCP/IP
stack vendors.

Mitsubishi Advisory

This advisory
describes two vulnerabilities in the Mitsubishi FA engineering software
products. The vulnerabilities were reported by dliangfun. Mitsubishi has new
versions that mitigate the vulnerabilities. There is no indication that dliangfun
has been provided an opportunity to verify the efficacy.

The two reported vulnerabilities are:

• Heap-based buffer overflow – CVE-2021-20587,
and

• Improper handling of length parameter
inconsistency – CVE-2021-20588

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to  cause a denial-of-service condition.

Johnson Controls Advisory

This advisory
describes a path traversal vulnerability in the Johnson Controls Metasys
Reporting Engine (MRE) Web Services. The vulnerability was reported by TIM
Security Red Team Research. Johnson Controls has a new version that mitigates
the vulnerability. There is no indication that the researchers have been
provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a remote unauthenticated
attacker to access and download arbitrary files from the system.

Mitsubishi Update

This update
provides additional information on an advisory that was originally
reported
on October 8th, 2020 and most recently updated on
October 29th, 2020. The new information includes adding updated
affected version and mitigation information for R08/16/32/120PCPU.

Schneider Update

This update
provides additional information on an advisory that was originally
published
on January 12th, 2020. The new information includes
adding a link to the Schneider
advisory
.

Embedded TCP/IP Stacks Update

This update
provides additional information on an advisory that was originally
published
on February 11th, 2021. The new information includes
adding mitigation measures for FNET.

By admin