Website compromised on discontinued series5
ICSA-20-126-02 | CVE-2020-10630, CVE-2020-10634
On May 5, US-CERT and CISA released vulnerability advisory ICSA-20-126-02 and discovered a vulnerability in the web server of discontinued series5 stations.
The message refers to an error in the command processing of the web page of the already discontinued 1st generation of series5 telecontrol stations with eco920 CPU core. Cross-site scripting can be used to execute commands on the web page that can compromise the system and path traversal can allow unauthorised access to the RTU file system; a more detailed description can be found in the message. The access control of the webserver - controlled by username and password - does not mitigate.
If the web page is deactivated in the station configuration, i.e. the web server is switched off, then these vulnerabilities do not exist.
The notification refers to FW-50 series5 with CPU-5B, which were delivered in the period 2009 to about 2015; contrary to the information provided, the version of the CPLD is not relevant. In addition to the FW-50, the net-line FW-5 or net-line FW-5-BT and the net-line FW-5000 also belong to series5.
New stations of type series5+ or series5e are not affected such as:
- net-line FW-5 series5+, net-line FW-5 series5e
- net-line FW-5-GATE, net-line FW-5-GATE series5e, protocol converter
- net-line FW-5-GATE-4G series5e, net-line FW-5-GATE-450 series5e
- net-line FW-50 series5+, net-line FW-50 series5e
- net-line FW-5000 series5+, net-line FW-5000 series5e
- net-line BCU-50 series5+, net-line BCU-50 series5e
The FW-50 as well as the compact FW-5 station and the FW-5000 master station are available in the generations series5, series5+ and series5e; each of these refer to a corresponding hardware configuration and CPU. The current version is the series5e, the series5+ is still under maintenance, the series5 has expired.
The vulnerability addressed in the ICSA refers to a discontinued series5 product that will be phased out in 2015. Stations of this generation can still be configured with current software, but changes to the firmware are no longer possible.
Why is this message coming up now?
A plant in Turkey has not been upgraded according to our recommendations or the information has not been forwarded or has been lost when selling the investigated plant components. The new operator has commissioned a company to check the asset and we have received a corresponding notification. Again, we referred to our general recommendations, the shutdown of the website and the age of the asset, but could not close the vulnerability for the above reasons - we strongly recommended upgrading the assets if the web server is of operational relevance.
The listed gaps are only accessible under certain conditions and can also be closed by other measures such as switching off the web server. The recommendations from the Checklist_IT-Security_@_SAE_IT-systems also apply. Otherwise, the measures listed in the advisory apply, such as upgrade to series5e and update of the setIT version. With FW-50 typically only the CPU has to be exchanged - rarely also the rack, if it is not a current BGT-x-USB, with FW-5(-BT) the RTU unit; input/output cards and interfaces do not have to be exchanged.
"CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures."
In future setIT versions, when generating series5 stations, the use of systems outside the maintenance area with possible security flaws will be pointed out.
We very much regret the incident and apologize if any inconvenience was caused. With our measures, recommendations and extensive version notes on the updates, we try to keep you up to date in a transparent way. If there are any suggestions for improvement for the implementation of this information chain, we would be very pleased to receive your feedback.
If you have any questions about the above-mentioned topics, please do not hesitate to contact us.