Category Archives: IoT

Multiple high vulnerabilities in Advantech WebAccess/SCADA -CVE-2019-10989,CVE-2019-10991 & CVE-2019-10993

Preface: Cyber Security expert not suggest access SCADA Dashboard from external area (internet). But we can use VPN establish connection then sign on as a workaround.

Background: Advantech WebAccess/SCADA is a browser-based SCADA software package for supervisory control, data acquisition and visualization.

Vulnerability details: In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data.

CVE-2019-10989 – The specific flaw exists within the implementation of the 0x113d1 IOCTL in the webvrpcs process.

CVE-2019-10991 – The specific flaw exists within bwclient.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process.

CVE-2019-10993 – The specific flaw exists within the implementation of the 0x27E9 IOCTL in the webvrpcs process.

Summary: Stack based & heap based buffer overflow and untrusted pointer dereference Remote Code Execution are all found in this product. Ioctl is a function in the device driver that manages the device’s I/O channels. The so-called I/O channel management is to control some characteristics of the device.

Reference: A stack-based buffer overflow vulnerability exists in a call to strcpy. Strcpy is one of the functions of the C language. It comes from the C standard library, defined in string.h, which can copy a memory block with a null end character into another memory block.
So attacker can leverage this vulnerability to execute code under the context of Administrator.

Advantech has issued an update to correct this vulnerability – https://www.us-cert.gov/ics/advisories/icsa-19-178-05

IoT world hiccups – CVE-2019-12951 Mongoose parse mqtt() Function Heap-Based Buffer Overflow Vulnerability – Now fixed – Jun 2019

Preface: Smart City look like a housekeeper. The sensor is his eye.But do you have question? He is a man or she is a woman.

Background: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker).

What is MQTT? MQTT is a simple messaging protocol, designed for constrained devices with low-bandwidth. It works on the TCP/IP protocol suite.

Vulnerability details: An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.

Impact: It could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system (see attached diagram).

Reference: Example of arbitrary code

strcpy(char *dest, const char *src) – May overflow the dest buffer
strcat(char *dest, const char *src) – May overflow the dest buffer

The vendor has released a bug fix – https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb

Country to country APT attack mechanism not complex, believe that it exploit design flaw instead of backdoor – Jun 2019

Preface: It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, …

Synopsis: Mongoose is a cross-platform embedded web server and networking library with functions including different protocol (TCP, HTTP, WebSocket, Server MQTT client and broker). Since the footprint is small and capable to enables any Internet-connected device to function as a web server. Whereby, the temperature, weather monitoring device and Smart City sensor will make use of it. Most nuclear reactors use water as a moderator, which can also act as a coolant. So IoT temperate is the major component in this area.

Reference: When temperature senor sense the temperature exceed safety level. It will apply graphite to slows neutrons fission.
So the logarithmic reduction of neutron energy per collision.

Vulnerability details: A vulnerability in Cesanta Mongoose could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Remedy: At the time this alert was first released, the vendor has not issued a security advisory.

Vulnerability might jeopardize IoT world – CVE-2019-10160 Python Security Regression Unicode Encoding Vulnerability (Jun 2019)

Preface: IoT device similar a delivery arm of robotic concept. They are the python language heavy duty users.

Python language married with IoT devices – For IoT, there has been a variant of python called Micropython , that lets you program for IoT in Python. Additionally, developer can use Raspberry Pi to program your IoT applications in Python.

Vulnerability details: A vulnerability in the the urllib.parse.urlsplit and urllib.parse.urlparse components of Python could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system.

Synopsis: Python Web application (Web Frameworks for Python) which accepting Unicode URL will be converted to IDNA (Punycode) or ASCII for processing. This conversion will decompose certain Unicode characters that can affect the netloc part of your URL, potentially resulting in requests being sent to an unexpected host.

Remark: Parse a URL into six components, returning a 6-item named tuple. This corresponds to the general structure of a URL: scheme://netloc/path;parameters?query#fragment.

Remedy: Python has released a patch at the following link – https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468

Security Focus – CVE-2018-13888

Preface: This design flaw has attracted me. Perhaps the supplier has no formal remediation solution yet. But the impact of this vulnerability seems to be broad!

Vulnerability detail: There is potential for memory corruption in the RIL daemon due to the following reason.
The location of dereference of memory is outside the allocated array length in RIL.

Meaning of “dereference” (common criteria):
The dereference operator or indirection operator, sometimes denoted by “*” (i.e. an asterisk), is a unary operator (i.e. one with a single operand) found in C-like languages that include pointer variables.

Affected products: Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in versions MDM9206, MDM9607, MDM9635M, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, ZZ_QCS605.

Official announcement – Not found in the bulletins yet : https://www.qualcomm.com/company/product-security/bulletins

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

The vulnerability of the Internet of Things 4.0 has attracted the interest of the APT Group in the enemy country.

Preface: Maybe this is a trend! If we are going to the next generation world (IoT 4.0). At the same time, the APT Group is also sniffing the cybersecurity loopholes in that place!

Technical background: In business world we understand the function of broker. A similar situation in computer world, we so called gateway vs middle-ware are equivalence to broker. The modern computer world involves multi vendor and multi-environment and therefore we can’t lack of broker. As a result this area become critical.

Security focus – Schneider Electric IIoT Monitor 3.1.38 vulnerabilities (see below).
Remark: The key component of IIoT monitor 3.1.38 is equivalent Magelis iPC ( IIoT monitor 3.1.38 for Magelis iPC on Windows 10 ).
https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-03-IIoT+Monitor+Security+Notification+-+V1.1.pdf&p_Doc_Ref=SEVD-2018-354-03

Comment: Perhaps these vulnerabilities announce to public on Dec 2018. But I believe that more hidden vulnerabilities will be dig out in future. Stay tuned! Happy Lunar New Year.

Security Notification – Schneider EVLink Parking (Dec 2018)

Preface: Electric vehicles (EVs) have no tailpipe emissions. Replacing conventional vehicles with EVs can help improve roadside air quality and reduce greenhouse gas emissions.

Technical background: Level 2 electric car chargers deliver 10 to 60 miles of range per hour of charging. They can fully charge an electric car battery in as little as two hours, making them an ideal option for both homeowners who need fast charging and businesses who want to offer charging stations to customers.

Subject matter expert:
EVlink Parking a charging stations for shared usage or on-street developed by Schneider Electric.

Vulnerabilities found:
Schneider Electric has become aware of multiple vulnerabilities in the EVLink Parking product (see below):

  • A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.
  • A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier
  • A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier

Official announcement shown below url: https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-01-EVLink.pdf&p_Doc_Ref=SEVD-2018-354-01

Cisco Security Advisory – Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability – Last Updated: 13th Dec 2018.

Preface: Key component of smart city are the IoT devices. The communication protocol of the IoT devices are Lora, SigFox and NarrowBand (NB).

Background: In realistic, smart city cannot lack of wifi setup for assistance. So, WiFi is one the key component in this family (Smart City).

Vendor Cisco follow up TI BLE chips vulnerability – CVE-2018-16986: Suggest verify with the following command on wireless AP device. If device show not support BLE function and therefore confirm device not vulnerable.

ap# show controllers bleRadio 0 interface
BLE not supported on this platform

If it is supported, please review below URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap