Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0972
Advisory (icsa-21-077-03) Hitachi ABB Power Grids eSOMS Telerik
19 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: eSOMS Telerik
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-19790 CVE-2019-18935 CVE-2017-11357
CVE-2017-11317 CVE-2017-9248 CVE-2014-4958
CVE-2014-2217
Reference: ESB-2018.0469
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03
- --------------------------BEGIN INCLUDED TEXT--------------------
TITLE: Advisory (icsa-21-077-03) Hitachi ABB Power Grids eSOMS Telerik
ICS Advisory (ICSA-21-077-03)
Hitachi ABB Power Grids eSOMS Telerik
Original release date: March 18, 2021
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low skill level to exploit
o Vendor: Hitachi ABB Power Grids
o Equipment: eSOMS Telerik
o Vulnerabilities: Path Traversal, Deserialization of Untrusted Data,
Improper Input Validation, Inadequate Encryption Strength, Insufficiently
Protected Credentials, Path Traversal
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
upload malicious files to the server, discover sensitive information, or
execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi ABB Power Grids reports the vulnerabilities affect the following eSOMS
products:
o eSOMS, all versions prior to 6.3 using a version of Telerik software
3.2 VULNERABILITY OVERVIEW
3.2.1 PATH TRAVERSAL CWE-22
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote
attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON,
.JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request.
CVE-2019-19790 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET
deserialization vulnerability in the RadAsyncUpload function. This is
exploitable when the encryption keys are known.
CVE-2019-18935 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.3 IMPROPER INPUT VALIDATION CWE-20
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly
restrict user input to RadAsyncUpload, which allows remote attackers to perform
arbitrary file uploads or execute arbitrary code.
CVE-2017-11357 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.4 INADEQUATE ENCRYPTION STRENGTH CWE-326
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2
before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote
attackers to perform arbitrary file uploads or execute arbitrary code.
CVE-2017-11317 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.5 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1
and Sitefinity before 10.0.6412.0 does not properly protect
Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it
easier for remote attackers to defeat cryptographic protection mechanisms,
leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or
ASP.NET ViewState compromise.
CVE-2017-9248 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.6 PATH TRAVERSAL CWE-22
Absolute path traversal vulnerability in the RadAsyncUpload control in the
RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote
attackers to write to arbitrary files, and consequently execute arbitrary code,
via a full pathname in the UploadID metadata value.
CVE-2014-2217 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:H/A:N ).
3.2.7 PATH TRAVERSAL CWE-22
Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX
RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows
remote attackers to inject arbitrary web script or HTML via CSS expressions in
style attributes.
CVE-2014-4958 has been assigned to this vulnerability. A CVSS v3 base score of
4.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:N/I:L/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Energy
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi ABB Power Grids reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi ABB Power Grids has published an advisory for eSOMS Telerik and advises
users to update to eSOMS Version 6.3 as soon as possible.
For additional information and support, contact a product provider or Hitachi
ABB Power Grids service organization. For contact information, visit Hitachi
ABB Power Grids contact-centers .
Recommended security practices and firewall configurations can help protect a
process control network from attacks that originate from outside the network.
Such practices include ensuring applications and servers are physically
protected from direct access by unauthorized personnel, have no direct
connections to the Internet, are separated from other networks by means of a
firewall system that has a minimal number of ports exposed, and others that
must be evaluated case by case. Sensitive application servers should not be
used for Internet surfing, instant messaging, or receiving e-mails. Portable
computers and removable storage media should be carefully scanned for viruses
before they are connected to a control system.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYFQFiuNLKJtyKPYoAQhF1BAAjAjmRG7BGZ7jestgo4Nfc7Zi/XM/u+Kj
yGOb9HSp7oSjB8dTTV6Fwgy6IBKQMQM5/RN9aJkcfHn2Lck+vm6l/3M/azxA4MzL
/5dBnUFczdVLBGWvCaOcZrj1h59PGsKfSV/liwzj4Rk+3qqrzT9M4M3NR21B0MCE
QNO6OF3OIH9kpLhSkYvsvgidf+mz3sAL6lYwy9zTudAUVY6pZDRgag2QLjFxdvm6
qNrHY4B0LK6cXx8ASrEC7vblqWooZwZZrPaDuJP8ZHETn6+97H7KRLiUxBtFl8oT
KkticQriv1humLVT72K8VDt5kQIfAQa1cha8IPeYRvnY0dp1bx2c2EK3XrvDt14r
itwJ8Lyr+WHmeP1G23trMOvvHxJbhDOfflDOdYIOKeu6YMrQSuFXDcDN59tkAaZt
SS5Cw4rOXHW7PEYhTv6ojykUDWAqB/qMgYK/ko7qaWB9lBNvG9YvjhxDvhZFswOX
2kwpq0dttU1zuKErEfNoxZwpHwuyd4eXi5j58uF9i3qFqzX/O4FAYCSMU0lxahPg
jxAx2jl5tL8L0Zsqz462afAxrj9L/ER+Rx40LApqjjpZp56DiFIXMQKH+nER93Va
tc7T7A59U/lp9eoiyStFGwIH83dU5HK2z87oOalbv5ufLC1iQiH9OSfEYT3p1Op8
47ojEStehC4=
=VieF
-----END PGP SIGNATURE-----