Author's Posts

Hello All. Researchers as Claroty, well kn0wn OT passive monitoring vendor have disclosed multiple critical vulnerabilities in vendor implementations of the Open Platform Communications (OPC) network protocol.

What is the OPC Protocol Anyway?

OPC communicates information from a data source such as a server to any client application in a standard way without requiring the application to have any specific knowledge about the data source such as its communication protocols. When diverse OT systems are required to communicate with each other a separate protocol or method is required for each device. As a solution the OPC (linking and correlating objects in process control) standard was developed.

OPC is a communication standard known as the OLE / COM (object Linking & Embedding / component object model) standard, based on Microsoft’s object-oriented technology aimed at integration between different applications, to make the connection between different units in automation systems fast and reliable.

Claroty’s Findings

The vulnerabilities affect the following vendors and products: Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.

These three products are integrated into many other vendors’ offerings as a third-party component. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. We believe these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets. Here is a list of the vulnerability CVEs:

Softing Industrial Automation GmbH

  • CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
  • CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)

Kepware PTC

  • CVE-2020-27265: Stack-based buffer overflow (CWE-121)
  • CVE-2020-27263: Heap-based buffer overflow (CWE-122)
  • CVE-2020-27267: Use-after-free (CWE-416)

Matrikon Honeywell OPC DA Tunneler

  • CVE-2020-27297: Heap overflow due to integer overflow (CWE-122)
  • CVE-2020-27299: Information leak due to OOB read (CWE-125)
  • CVE-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
  • CVE-2020-27295: Uncontrolled resource consumption (CWE-400)

Claroty are urging users of these products to upgrade to the latest version to mitigate these vulnerabilities.

Read more

Hello All. Most of you know who Malwarebytes is, endpoint product used to protect against malware. Many in the industry say is one of the best consumer products our there when compared to others like McAfee or Norton. In some unfortunate news, it looks like they may have suffered a cyber-breach similar in nature to that of the SolarWinds attack.

“Malwarebytes said its intrusion is not related to the SolarWinds supply chain incident since the company doesn’t use any of SolarWinds software in its internal network. Instead, the security firm said the hackers breached its internal systems by exploiting an Azure Active Directory weakness and abusing malicious Office 365 applications. Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15. At the time, Microsoft was auditing its Office 365 and Azure infrastructures for signs of malicious apps created by the SolarWinds hackers, also known in cyber-security circles as UNC2452 or Dark Halo.”

“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails,” said Marcin Kleczynski, Malwarebytes co-founder and CEO.

Given the same threat actor that breached SolarWinds moved to weaponize the company’s software by inserting the Sunburst malware into some updates for the SolarWinds Orion platform, Malwarebytes has indicated that they have also performed a very thorough audit of all their products and associated source code, searching for any signs of a similar compromise or past supply chain attack.

“Our internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Our software remains safe to use,” Kleczynski added.

To read the statement from Marcin Kleczynski – visit http://bit.ly/2M8GVO0

Read more

Hello All. Recall all the days of having to deal with Adobe Flash-based attacks? Arbitrary code execution flaws? Users not always updating their devices to the most recent version of software right away, leaving them susceptible to the thousands of known vulnerabilities. How about exploit kits that took advantage of vulnerabilities in Flash – for example, a hacker may decide to use an exploit kit delivered by website redirect. That means, when a user clicks on a website link in their browser, an embedded script redirects the user to a hacker’s landing page that contains the exploit kit. Remember a few years ago when an unpatched bug in Adobe Flash was being targeted by the Angler Exploit Kit – causing all kinds of ransomware hits?

Well, I am happy to say we can put all of that behind us. Adobe Flash Player is officially non-functional, and it’s time to uninstall the program once and for all. In a coordinated announcement from Adobe, Apple, Microsoft, Google, and Mozilla in July 2017. we learned that Adobe Flash Player would officially reach the end of life on December 31st, 2020.

When Adobe released their final version of Flash Player in December, they also announced that recent versions of the software include a kill switch that prevents Flash Player from loading Flash content starting on January 12th, 2021.

It is now January 14th, and as Flash content no longer runs in Flash Player, it is time to uninstall the software. Now, when you try to open Flash content, which most browsers automatically block by default, Flash player will display the following icon that opens the when you click on it.

Read more