BAS Vulnerability Advisories Thread

CrystalPeakSec · Jul 3, 2023

Hi all!

I'm the founder of Crystal Peak Security, a team of security researchers focused on the hardware/firmware security of Business Automation Systems.

A steady drumbeat of security vulnerabilities are constantly reported weekly, covering a variety of products. With such a high volume of information, it's difficult to determine how Building Automation Systems are affected and how to assess the risk to installations. Each week, we summarize relevant Cybersecurity Advisories published by CISA so you can quickly and easily determine which of the many products at risk apply to you. Much of the information is going to be irrelevant to you, our goal is to make it skimmable in ~30 seconds to easily determine if something you use has an advisory so that it can be addressed.

This week's issue can be read here: crystalpeaksecurity.com/posts/07_03_2023_cisa_summary/
Vendors that are affected:

- Delta Electronics
- Enphase
- Hitachi Energy
- Medtronic
- Mitsubishi Electric
- Ovarro
- Rockwell Automation
- Schneider Electric

Feel free to reach out with any questions or feedback! I'll be posting these summaries weekly. Cheers.

numbawunfela · Jul 3, 2023

I looked at the schneider one on your website. It only had an announcement from Schneider itself, and nothing else. Is that typical?
My experience is BAS manufacturers are generally told about their exploits(do not find it themselves), and publish a bland 'update now' announcement. But they do not give details as to what exactly the vulnerability was, how it was disclosed, how an attacker might exploit it, and other grittier (but less positive for the company) details.
Do you publish stuff like that?

orion242 · Jul 4, 2023

numbawunfela said:
It only had an announcement from Schneider itself, and nothing else.

SE is really good on announcing them. If they issue a CVE, they send out a notice in short order. They have a mailing list for them that seems to cover all their products. From UPS, BMS, PLC, etc. You might need a SE login, but they typically link to more details for each issue. Its obviously not the here's how to exploit this issue level of detail. Think CISA has a OT specific mailing list that boils things down to OT stuff. BMS typically land in there as well as the full list. If I see SE product land on CISA's mailing, I either already got notice or do within a few days from SE.

https://www.cisa.gov/topics/industrial-control-systems

CrystalPeakSec · Jul 3, 2023

My experience is BAS manufacturers are generally told about their exploits (do not find it themselves)

It could happen either way. Often times manufacturers have internal teams looking for flaws. Issues found internally are still assigned a public CVE number and an advisory is put out once the issue is patched. When things are reported externally, the researcher will typically give a disclosure timeline which puts a lot of pressure on the manufacturer to fix the issue fast so that it's patched prior to disclosure. This incentives them to discover the issues internally so that they have a more favorable disclosure process and timeline.

The CVE will typically contain a decent amount of detail regarding what the issue is, when it could manifest, and what the impact would be if exploited.

Do you publish stuff like that?

We don't typically dive into the low level details unless we discovered the issue ourselves (we'll be publishing some work on a BACnet implementation soon!). We do sometimes have customers that ask us for that additional context around a public vulnerability to determine if they are at risk, we'll dive into the low level details (sometimes reverse engineering the firmware/product) to see if it's exploitable in the way they're using the product.

numbawunfela · Jul 4, 2023

CrystalPeakSec said:
It could happen either way.

The CVE will typically contain a decent amount of detail regarding what the issue is, when it could manifest, and what the impact would be if exploited.

Of course it can happen either way.

Do you link to the public CVEs? Or will you start?

Oh wait - the colored text of the manufacturers named software isn't a link to that manufacturer or their software, it is a Link to the CISA report on the software. Oh that is not straightforward, but once you know that it is aright.

CrystalPeakSec · Jul 4, 2023

Thanks for the feedback! I pushed an update to give the CISA link it's own table entry

MaxBurn · Jul 5, 2023

Are you trying to restrict the information BAS or are you also targeting other customers? Because thread title here suggests BAS and I'm seeing things that I would consider PLC or DCIM or even power grid worlds in the example page you posted. When I look at the example page I'm seeing one thing at the very bottom that would interest this audience. We are a small subset of a much larger industry and I'm already getting CISA Vulnerability Summary reports that I search for some key words and it's very often I find nothing of interest to ME or even my community.

Something focused on our market would be nice.

CrystalPeakSec · Jul 5, 2023

Are you trying to restrict the information BAS or are you also targeting other customers? Because thread title here suggests BAS and I'm seeing things that I would consider PLC or DCIM or even power grid worlds in the example page you posted. When I look at the example page I'm seeing one thing at the very bottom that would interest this audience. We are a small subset of a much larger industry and I'm already getting CISA Vulnerability Summary reports that I search for some key words and it's very often I find nothing of interest to ME or even my community.

We are trying to cater everything we do to the BAS industry, but like you noted, everything BAS related gets lumped into the ICS category as far as CISA is concerned.

We considered filtering out the non-BAS related stuff, but didn't want to accidentally exclude something very relevant. Instead, our goal to start is for it to be skimmable, making it very easy to see if a relevant product/manufacturer has an advisory put out. But as we become more familiar with all the moving pieces in the BAS world, I expect our content to become more specified and original. Eventually, you should be seeing CVE's from us make their way into CISA advisories!

Something focused on our market would be nice.

This is our goal. Are there certain types of information or content that you wish existed?

MaxBurn · Jul 5, 2023

CrystalPeakSec said:
This is our goal. Are there certain types of information or content that you wish existed?

Restrict the content to the products we work with is what I was referring to.

The PLC stuff could be split off to another targeted group with factories and other critical infrastructure.

digo · Jul 5, 2023

From this issue, Delta and Schneider are the only 2 BAS front end vendors.
BAS being a Building Automation System - traditionally encompassing HVAC and Lighting Controls, but can include a variety of other systems on the OT network.

Enphase = PV inverters, EV chargers.
Hitachi = Maybe VRF systems, haven't see much of this in my market.
Medtronic = Medical devices
Mitsubishi = Usually VRF systems or Elevators
Ovarro = Process Industry, Oil and Gas, Water, Leak Detection
Rockwell = Industrial/Factory Automation

Here's a list of vendors having any IP addressable device(s) that you should make sure is on your radar. There may be more.
AES Corp (Fire Products)
Alerton (Honeywell)
Automated Logic Corporation
Belimo
Bosch
Cimetrics
Contemporary Controls
Cradlepoint
Daikin
Delta Controls
Distech Controls (Acuity Brands)
Eaton
Encelium
Enlighted
EnOcean (Lonworks)
Galagher (Access Controls)
Honeywell
Johnson Controls
Loytec Americas
Lutron
Lynxspring
Mitsubishi Electric
MOXA
Optigo Networks
OSRAM Sylvania
Reliable Controls
Tridium Niagara (multiple brands)
Schneider Electric
Siemens
Trane
Trend
Wattstopper (Legrand)

orion242 · Jul 7, 2023

digo said:
Here's a list of vendors having any IP addressable device(s) that you should make sure is on your radar. There may be more.
AES Corp (Fire Products)
Alerton (Honeywell)
Automated Logic Corporation
Belimo
Bosch
Cimetrics
Contemporary Controls
Cradlepoint
Daikin
Delta Controls
Distech Controls (Acuity Brands)
Eaton
Encelium
Enlighted
EnOcean (Lonworks)
Galagher (Access Controls)
Honeywell
Johnson Controls
Loytec Americas
Lutron
Lynxspring
Mitsubishi Electric
MOXA
Optigo Networks
OSRAM Sylvania
Reliable Controls
Tridium Niagara (multiple brands)
Schneider Electric
Siemens
Trane
Trend
Wattstopper (Legrand)

How could you miss Temco / Bravo controls from the list? Won't be shocked if that's an epic train wreck.

Certainly more, few that come to mind.

Liebert / Vertiv or whatever the name of the week is.
Stulz
SquareD
Cyberpower
Really anyone making data center cooling / power solutions. Gensets, PDUs, UPS, etc. Even just power meters with IP are all over now.

VFDs these days are starting to pop up with IP
ABB
Danvos
SD
SE
Siemens

Then there is a ton of IP gateway to xyz vendors.
Fieldserver - did they get sold to MSA?
Babble buster

Might as well add networking gear as well. Especially some of the common stuff you see in BMS.
ccontrols.com
SOHO junk from big box stores

Don't some of the Trane package units with the new symbio controls come IP now? Thought I have seen a few recently. Certainly have used ones that the usb interface shows up as a NIC.

There is a ton of IP gear out there in typical BMS and a fair deal of it really prob shouldn't exist.

CrystalPeakSec · Jul 5, 2023

Thanks for the list!! I'm very interested in MS/TP reachable surfaces as well, they seem to be very under looked.

We struggled to draw a boundary around BAS because of the "...can include a variety of other systems on the OT network." I'd imagine a BA controller sometimes interfaces with factory automation devices from Rockwell? Or elevator devices from Mitsubishi? I'm wondering if BAS shops handle other parts of the automation network for their customers or if they stick strictly to BAS.

Either way, I'm hearing that some additional filtering is in order. Thanks everyone.

MaxBurn · Jul 5, 2023

CrystalPeakSec said:
MS/TP reachable surfaces as well, they seem to be very under looked.

Because that would require physical access to a local communication buss that is not generally exposed to occupied space. Besides that there are a number of sensor busses that do extend to occupied space that are worth looking into as they can grant access to the entire system.

CrystalPeakSec said:
I'd imagine a BA controller sometimes interfaces with factory automation devices from Rockwell? Or elevator devices from Mitsubishi? I'm wondering if BAS shops handle other parts of the automation network for their customers or if they stick strictly to BAS.

Yes BAS can integrate to those systems but rarely will a BAS shop also take on support for those systems.

peterpla · Jul 5, 2023

You can click through to view the CISA advisory to view details of each vulnerability. The nature of the vulnerability drives the CVSS severity score; easy to exploit with high impact gets a Critical score, hard to exploit with minimal impact gets a Low score.

That's detailed in the "Vulnerability Overview" section of the CISA advisory.

For the Schneider advisory, that section includes:

--- begin ---

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94

Schneider Electric EcoStruxure operator Terminal Expert versions 3.3 SP1 and prior are vulnerable to a code injection attack that could allow an attacker to execute arbitrary code and gain access to all information on the machine.

CVE-2023-1049 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

--- end ---

Manufacturer's security advisories sometimes provide additional detail, but only the biggest manufacturers seem to have security teams that publish their own, more detailed security advisories. Some manufacturers do not provide security advisories at all.

Schneider's security advisory for that vulnerability provides additional detail, e.g., "a local user of the Windows engineering workstation" could exploit this vulnerability to cause "unauthorized code execution" that could "result in loss of availability, confidentiality, and integrity of the workstation".

The CISA advisory also discloses who found and reported the vulnerability, in section 3.4 RESEARCHER.

Over time, we can see whether the manufacturer's security team is finding vulnerabilities in their products themselves, or if independent security researchers are finding them.

(Full disclosure: I work for Crystal Peak and prepare our weekly vulnerability summaries.)

numbawunfela · Jul 5, 2023

Aright crystal peak guys. Seeing as you all keep multiplying, can you please answer a few questions?

I see the blog on your site goes back to June '23. Is that when you all opened shop? Got any history there? I am not looking for a 90 minute documentary but something that tells us about who and what you are would be swell.

You pentest BAS stuff? So you want to work with OEMs? Like, say TRANE, and then reverse engineer their stuff, and show them where it is vulnerable and suggest fixes for a fee? More or less?

You say there on your site that you all are experienced, but here we are listing who your customers are. So experienced with what exactly? It is not with BAS stuff. Not trying to be mean, just following the logic. Asking for an answer, not throwing rocks.

Do you work with integrators like most of us? Not TRANE the OEM, but the poor schmuck in Super Cool Automation in Anytown USA who is sitting on a site with a bunch of TRANE stuff trying to get it to talk. There are a few OEMs represented on here, but not too many.

I appreciate you spending time with us. Informative. But how does your posting here turn into dollars. I think I know too little about your gig to understand....

I may have more questions, but this is a good start.

CrystalPeakSec · Jul 6, 2023

I see the blog on your site goes back to June '23. Is that when you all opened shop? Got any history there? I am not looking for a 90 minute documentary but something that tells us about who and what you are would be swell.

Sure! My name is Anthony, my background is in low level security research. All my professional experience is doing more or less what you described: Reverse engineer something, find vulnerabilities in it, help make it less vulnerable.

Crystal Peak has been around as a small single-person (me) consultancy since about June 2022. Around April 2023 we put up a simple website, and those posts in June are our first attempt at creating content for the BA industry. BA became our specialization of choice because I don't think it gets the security research attention that it deserves and it carries a lot of real-world impact with it.

Do you work with integrators like most of us? Not TRANE the OEM, but the poor schmuck in Super Cool Automation in Anytown USA who is sitting on a site with a bunch of TRANE stuff trying to get it to talk. There are a few OEMs represented on here, but not too many.

I think our skill sets are most valuable to the OEMs - our bread N' butter being the analysis of hardware/firmware & source code. However, we do a ton of relevant software development to support that stuff which might be really useful for integrators. I'm listening for the problems that schmuck in Anytown frequently encounters to understand what help we can offer.

I appreciate you spending time with us. Informative. But how does your posting here turn into dollars. I think I know too little about your gig to understand....

I'm just excited to see folks reading our stuff and giving us feedback. I don't think it turns into dollars on it's own, I'm more here to learn about the industry, help out however I can, and get our name out there. If someone finds our input valuable and wants to engage however, I certainly wouldn't turn it away. Ideally that someone would have some hardware/firmware/source code for us to rip apart, find vulnerabilities in, and fix. But we could do custom tools as well.

feel free to fire off any other questions!

digo · Jul 7, 2023

Figured there would be more, my list is just a sample of device manufacturers that appear in my realm.
VFDs are still Lon or BACnet MS/TP over here.

Sent from my Pixel 4a using Tapatalk

orion242 · Jul 7, 2023

Can't say I have seen a native lon VFD in a twenty years or more on a new install. Not sure what brand it was I ran into recently, but IP was standard. Its optional on a many now. Vacon through a channel we offer had an IP option card back in the mid 2000s.

https://partners.trendcontrols.com/trendproducts/cd/pl/pdf/en-ta200826-uk0yr1207.pdf

Your still ordering VFDs that come native lon or is it an option card?

Humidifiers now that I think about it. Its either an option or standard on dristeem humidifiers.

Autoflame DTIs boiler controls, IP is standard.

Emerson asset monitors, aka fancy vibration gear, IP standard.

I may even have some RO/DI skids with IP. There is a ton of stuff that touches our industry that offers IP interfaces and some of these small vendors are almost certainly security dumpster fires. Customer asked for IP interface and we tossed it together. It works, you didn't ask for security...

numbawunfela · Jul 7, 2023

orion242 said:
It works, you didn't ask for security...

Hehe, it works is such a hard thing to accomplish really. At least judging from the places I go and the customers I deal with.

orion242 · Jul 7, 2023

Cleanroom FFU monitors. Got those that have native IP interfaces. Most uses wouldn't laugh off getting powned for what they paid for the system or interruption of the process.

Crazy ionization gear to reduce CR particle count, IP standard.

Stupid IAQ rona era gear, IoT and IP all the way. The more I think about it, junk with IP interfaces is really everywhere in the field.

CrystalPeakSec · Jul 7, 2023

There is a ton of stuff that touches our industry that offers IP interfaces

Yeah, this is why I found it difficult to draw a boundary around BA. The ecosystem is so distributed, tiny vendors all over the place engineering their own implementations and whatnot.

I'm curious - has anyone here experienced some sort of security event (e.g., ransomware, boiler being taken offline, ...)?

orion242 · Jul 7, 2023

CrystalPeakSec said:
I'm curious - has anyone here experienced some sort of security event (e.g., ransomware, boiler being taken offline, ...)?

Guessing discussing that in the open forum isn't going far.

Fazio had some guys here at the time. Maybe they can talk about Walmart now that its been almost a decade.

digo · Jul 7, 2023

I've seen ransomware many years ago. Customer's IT dept had setup port forwarding of TCP port 3389 from a public IP to the front end on a Windows XP machine. No restriction by IP.
Didn't take long for it to get pwned via a known RDP vulnerability.

Sent from my Pixel 4a using Tapatalk

orion242 · Jul 7, 2023

Was it target? Memory must have faded over the years.

Drawing up a job today and they called out Ruskin Airflow-IQ damper. Fricken control damper has IP support and a webserver!

digo · Jul 10, 2023

orion242 said:
Was it target? Memory must have faded over the years.

https://start.cybervista.net/hubfs/Resolve Assets/CyberVista Case Study_2013 Target Breach.pdf

CrystalPeakSec · Jul 10, 2023

I heard about this but never saw the root cause analysis. Very interesting! Even more so that it was due to trusty ol' phishing. I wonder what we're going to see when everyone realizes that the BACnet implementations out there are full of issues.

digo · Jul 10, 2023

See this thread on professional controls forum
https://hvac-talk.com/vbb/threads/2196508-BACnet-on-the-internets

Just checked shodan.io, 30,000 plus sites with public facing BACnet on the default port 47808

CrystalPeakSec · Jul 10, 2023

BACnet is one of those insecure by design protocols. Known from the start.

There's varying levels of insecurity. Everyone is aware of reading/writing device attributes or viewing cleartext traffic. But that's a lot less severe than remote arbitrary code execution. RCE will also let you to pivot to other things. Throwback to when car entertainment systems were first given remote connectivity, everyone quickly realized that the entertainment system probably shouldn't share a CAN bus with your brakes.

digo · Jul 10, 2023

CrystalPeakSec said:
There's varying levels of insecurity. Everyone is aware of reading/writing device attributes or viewing cleartext traffic. But that's a lot less severe than remote arbitrary code execution.

exhibit A:
See CVE-2022-30243
https://blog.scadafence.com/scadafence-discovers-first-cves-detected-in-alerton-plcs

digo · Jul 10, 2023

Yup, I remember following it closely as the story unfolded at krebsonsecurity.
Fazio had access to a separate system for billing, contract management, etc.

Sent from my Pixel 4a using Tapatalk

CrystalPeakSec · Jul 10, 2023

Unfortunately there's no secret sauce - sometimes vendors will have bounty programs to incentivize researchers to disclose issues. As an example, doesn't look like honeywell has one, but they will of course accept whatever you want to disclose to them: https://www.honeywell.com/us/en/product-security

numbawunfela · Jul 10, 2023

Sounds like no Denny's....

Hehe

MaxBurn · Jul 11, 2023

If the defenders don't pay, sometimes the attackers do

https://securebox.comodo.com/blog/pos-security/top-dark-web-markets-zero-day-exploits-sold-bought/

Deliberately posting old info that's all shut down these days. But that's the whole point of bug bounties; somebody will eventually pay for that knowledge.

CrystalPeakSec · Jul 12, 2023

Defending, you need to stop everything. Attacking, you just need to hit once to create a defender nightmare. Rather lopsided effort.

Absolutely. It becomes even more bonkers when you look at the amount of code being written versus the amount of people sanity checking it. A large company like honeywell has wildly outnumbered security research teams, something like 1000:1 - 1,000 people writing code for every one researcher auditing things.

MaxBurn · Sep 19, 2024

This would have been a nice one to know about

https://www.cisa.gov/news-events/ics-advisories/icsa-20-168-01

Treck TCP/IP Stack CVSS v3 10.0
I feel like I've seen "Ripple20" mentioned but didn't know it would be in our products.

The Treck TCP/IP stack may be known by other names such as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX.

Vendors known to use this;

ABB
B.Braun
Baxter
BD
CareStream
Caterpillar
DIGI International
Eaton
Green Hills Software
IDEC Corporation
Johnson Controls
Miele
Opto 22
Pepperl+Fuchs
Rockwell
Schneider Electric
Smiths Medical

numbawunfela · Sep 22, 2024

I have no time whatsoever to poke around and look for these, but I sure like reading about them when plopped in my lap. Thanks MaxBurn

MaxBurn · Sep 24, 2024

https://www.cisa.gov/news-events/ics-advisories/icsa-19-274-01

Interpeak IPnet TCP/IP Stack (Update E)
CVSS v3 9.8
Exploitable remotely/low attack complexity/public exploits are available

VxWorks by Wind River, seen in some of our field too.

ABB
Avaya
Belden Industrial Devices
ExtremeNetworks
IDEC Corporation
Mitsubishi Electric
NetApp
Rockwell Automation
Schneider Electric
Siemens (Power Meters)
Siemens (RUGGEDCOM)
Siemens (SIPROTEC 5)
Sonicwall Firewalls
TrendMicro IPS
Woodward
Xerox Printers
Xylem

BAS Vulnerability Advisories Thread

Top Contributors this Month

Recommended Communities