Point-to-Point Protocol Daemon (PPPD) Vulnerability in IDS Telecontrol Products Closed (CVE-2020-8597)

The vulnerability CVE-2020-8597 (see Bulletin dtd 22 June 2020) has been remedied in both affected product series (ACOS 710/720/750 and ACOS 73).

As per immediately, the ACOS RTU Version 5.27.1.10 is available for the ACOS 710/720/750 series.

For the ACOS 730 series, the ACOS RTU Version 8.8.0.2 firmware is now available.

When using the aforesaid products with activated mobile phone functionality, we recommend to make an update.

If you have any questions or need support on this issue, please contact our customer centre.

Point-to-Point Protocol Daemon (PPPD) Vulnerability in IT Network Components (CVE-2020-8597)

We have already informed you about this vulnerability and the available patches in Westermo’s WeOS on April 01, 2020.

 

  • With this bulletin we’ll keep you informed about patches of other manufacturers:
  • Sophos Firewall UTM: patch as per Release 9.703
  • Westermo WeOS: patch as per Release 4.28.3
  • Hirschmann Cellular Router: patch as per OWL Release 06.2.04
  • Endian Firewall: no patches available yet

If you have any questions or need support on this issue, please contact our customer centre.

Point-to-Point Protocol Daemon (PPPD) Vulnerability in IDS RTUs (CVE-2020-8597)

The CVE-2020-8597 vulnerability affects the product series ACOS 710/720/750 (Release 5) and ACOS 730 (Release 8). However, this vulnerability can be exploited only if the mobile phone functionality is activated in the configuration.

The ACOS 750 series with software version 7, the RTU series IDS 850, IDS 650 and IDS 640 and the HIGH-LEIT NT SCADA system as well as the ACOS ET engineering system are generally NOT affected.

In both affected product series, one has to assume a medium to low criticality of the vulnerability when the mobile phone function is active; this is because usually the PPP function is used only for communication via public mobile telecommunication infrastructures.

Despite the relatively low criticality, we are taking this vulnerability very serious indeed and are working to find a solution which, in all probability, will be available in calendar week 27 (for ACOS 730) and calendar week 28 (for ACOS 750), respectively.
If you have any questions or need support on this issue, please contact our customer centre.

QNAP warns against Vulnerabilities in QTS

To fix these vulnerabilities, we advise users of NAS from QNAP to update QTS to the latest versions.

Please click here for further information:

If you have any questions or need support on this issue, please contact our customer centre

Sophos false-positive in the Sophos UTM9 Advanced Threat Protection

Currently, the Advanced Threat Protection of several Sophos UTM firewalls is sending alarms.

The alarms affect an Akamai server; the target invariably is e13678.dspb.akamaiedge.net.

Unfortunately, we have as yet no statement from Sophos concerning these alarms. However, at the moment we assume that these are “false alarms” because the problem has been found on a large number of independent firewall installations all over the world.

Of course, we will immediately notify you as soon as we have Sophos‘ official statement on this problem.

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/120293/sophos-utm9-advanced-threat-protection-have-threat-name-c2-generic-a-events-for-ad-dns-server

Installation of Windows Patch may cause Problems

We would strongly recommend not to install the current Windows patch KB4550961. After extensive testing we found that some computers do not boot after installation.

We will keep you up to date with further developments.

Dangerous Vulnerabilities in HP Support Assistant

Owners of HP Windows computers are advised to uninstall the HP Support Assistant Tool, as the application has been subject to several vulnerabilities for months. To date, HP has not eliminated all security gaps.

Please click here for further information:

https://www.heise.de/security/meldung/Gefaehrliche-Sicherheitsluecken-in-HP-Support-Assistant-immer-noch-offen-4697583.html

If you have any questions or need support on this issue, please contact our customer centre.

Westermo – Critical Firmware Vulnerability

On 02.03.2020 it became known that a vulnerability is present in the open source Point-to-Point Protocol Deamon (pppd), Versions 2.4.2 to 2.4.8. Among others, WeOS versions up to 4.28.3 are affected. In versions 4.28.3 and later, the fault has been fixed. Since the vulnerability was rated with a CVS score of 9.8, it must be rated as “critical”. Attackers can crash WeOS or, in the worst case, execute arbitrary codes.

If you have any questions or need support on this issue, please contact our customer centre.

New HPE Warning of SSD Failures

Due to a firmware error, certain types of solid-state drives break down after exactly 40,000 hours of operation.

This corresponds to an operating time of approximately 4 years and 206 days. In RAID networks where the SSDs started operation at the same time, they all break down at the same time.

The faulty types can be found on the manufacturer’s website:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00097382en_us

Please click here for further information:

https://www.heise.de/newsticker/meldung/HPE-warnt-erneut-vor-SSD-Ausfaellen-4689921.html

If you have any questions or need support on this issue, please contact our customer centre.

Vulnerabilities in Trend Micro Products

A remote, unauthenticated attacker can exploit vulnerabilities in Trend Micro Worry-Free Business Security, including those in Trend Micro Worry-Free Business Security, to execute arbitrary codes with administrative privileges.

If you have any questions or need support on this issue, please contact our customer centre.

Critical Vulnerability in Microsoft Windows SMBv3

Server Message Block (SMB) is a protocol for file, print and other server services in networks. SMB is a central component of Microsoft Windows network services and is used, among other things, to access files on network drives or to share printers.
According to the BSI, the Windows 10 LTSC (Long Term Servicing Channel) versions 2016 and 2019 and the Windows Server versions 2016 and 2019 are not affected by the vulnerability.

Please click here for information on security patches:

Critical Vulnerability in Meinberg LANTIME Firmware V6 and V7

Administration and info users can use the file upload mechanism to read or exchange files or see other users to which normally only the root user has access.
For more information, please click

Vulnerability (CVE-2020-0601) in Windows 10 and Various Versions of Windows Server

A flawed crypto library in Windows allows an attacker to use spoofing to sign an executable file so that Windows classifies it as coming from a trusted source.
For more information, please click

Critical Vulnerability in Citrix Gateway

The vulnerability is CTX267679 and it affects the Citrix NetScaler Gateway.

Citrix has provided a workaround and has announced a secured version for 20.01.2020.
Please click here for further information:

Vulnerability in Cisco IOS and Cisco IOS XE Web User Interface regarding Cross-Site Request Forgery (CSRF)

A vulnerability in the web UI of Cisco IOS and CISCO IOS XE software could allow a remote attacker to aquire the user rights of a target user of the interface and to modify the firewall.

This type attack can be prevented by deactivating the http server configuration until a software bugfix has been installed.

Please click here for further information:    

Cisco X.509 Certificates Expire on 1.1.20

Due to an error, all self-signed X.509 certificates that were generated using Cisco IOS expire on Jan 1, 2020. It is not possible to generate new certificates.

Please click here for further information:

Trend Micro: Vulnerability Enables Privilege Escalation

A remote anonymous attacker can exploit a vulnerability in Trend Micro Internet Security and Trend Micro AntiVirus to elevate their privileges, thereby enabling them to use faulty program codes or hijack the computer.

Please click here for further information:

Possible SSD Failure on HP Servers - Firmware Update Required

A firmware defect may cause SSDs to terminate operation after 32,768 hours and the loss of data.

Please click here for further information:

 

The affected HP model numbers are listed on the HP support webpage:

If you have any questions or need support on this issue, please contact our customer centre.

Vulnerability in Cisco IOS

The Cisco ASA appliance offers functions for securing application software, such as firewall or VPN. Firepower is a firewall platform from Cisco.

A remote authenticated attacker can use a vulnerability in Cisco ASAS (Adaptive Security Appliance) and Cisco Firepower in order to execute any given program code with admin rights.

Please click here for further information:

If you have any questions or need support on this issue, please contact our customer centre.

WannaCry: Massive Worldwide Ransomware Attack

Through a massive cyber attack on Friday, 12 May 2017, criminals have used critical vulnerabilities in all Windows operating systems and have infected tens of thousands computers with encryption malware.

Microsoft have issued a patch for their current operating systems in the middle of March 2017, followed by a patch for already cancelled operating systems (e.g. Windows XP) on 13 May 2017. More information on this topic is available on heise.de.

Once more it has become evident that patch management and various other measures such as the protection of interfaces against external attacks, as well as hardening and antivirus protection are vital for the secure operation of control systems.

Therefore, we urgently recommend you to upload the patch onto your system immediately or to have it uploaded by IDS staff. Please contact our Customer Competence Center for help.

Critical Vulnerabilities in Cisco Firewalls

The so-called zero-day gap occurs in the Simple Network Management Protocol (SNMP) of the Adaptive Security Appliance (ASA) software. Attackers can exploit this vulnerability via remote code execution, by executing their own codes and, as a worst-case scen

Critical Vulnerability in ASA Firewalls

We would like to inform you that a critical vulnerability has been detected in ASA firewalls. According to Cisco, the following products are affected when the VPN function (via IPSec) is activated:

  • ASA 5500 Series Adaptive Security Appliance
  • ASA 5500-X Series Next-Generation Firewall
  • ASA Services Module for Cisco Catalyst 6500 Series Switches
  • Cisco 7600 Series Router
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 9300 ASA Security Module
  • ISA 3000 Industrial Security Appliance


What exactly is this Security Gap?
If you send appropriately prepared data packets to the aforementioned devices, these packets are written into the memory during processing in such a way that it enables attackers to use buffer overflows in the heap to sneak malware codes into the memory, which are then executed. Thus, attackers are able to infiltrate a particularly sensitive part of the network infrastructure and, from there, advance deeper into the network.

Workaround/Urgent Measures?
We recommend to take the VPN connections out of service until the appropriate patch is imported.

How to Close the Security Gap
Given that, by virtue of its design, the Cisco firewall is exposed to data traffic from outside, this problem can only be solved by importing the appropriate patch to secure the network. Here, we have to differentiate between the following cases:

  1. You are entitled to the manufacturer’s support for the affected device and have made the appropriate service agreement for patch management of the firewall with IDS.  In this case, you don't have to do anything at all. We’ll get in touch with you as quickly as possible to import the patch. This is part of the service agreement.
  2. You are entitled to the manufacturer’s support for the affected device, but have NOT made the appropriate service agreement for patch management of the firewall with IDS.  In this case, we invoice our services on a time and effort basis, in accordance with our current Service Price List.
  3. The manufacturer’s support for the affected device is no longer valid. In this case, we support you in your research to find out whether the patch is still available, the manufacturer's support can be extended or the device needs to be exchanged.

Our Offer for You!
In cases 2 and 3, respectively, please contact our Customer Service Center (phone: 07243/218-990, email: kundencenter[at]]ids[dot]]de or via our website) if you are using the aforementioned firewalls. We are happy to recommend the most economically favourable solution for your system.

For further information on IT security and on our service portfolio, please contact our Security Officer and Head of Services Department, Mr Dieter Göbelbecker.