-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Security Advisory ID: OSA-9 Release Date: 2024-03-29 Revision: 1.0 OMICRON Product Security Team | security@omicronenergy.com 3rd Party Vulnerabilities in CM-Line, CMS 356 and ARCO 400 embedded image versions Summary - ---------------------------------------------------------------------------- 3rd Party Vulnerabilities in old image versions affecting CMS 356, CMC 256plus, CMC 353, CMC 356, CMC 430, CMC 850, ARCO 400. SNMP Agent Default Community Name (public) - CVE-1999-0517 It is possible to obtain the default community name of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host. When using PTP synchronization with Power Profile V1 (and the SNMP service is running), the vulnerability allows the attacker to get some PTP parameters/configuration details. nginx < 1.17.7 Information Disclosure - CVE-2019-20372 According to its Server response header, the installed version of nginx is prior to 1.17.7. It is, therefore, affected by an information disclosure vulnerability. JQuery 1.2 < 3.5.0 Multiple XSS - CVE-2020-11022, CVE-2020-11023 According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities. SSL Certificate Chain Contains RSA Keys Less Than 2048 bits At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014, must be at least 2048 bits. Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014. Affected OMICRON Products - ---------------------------------------------------------------------------- Vulnerabilities CVE-1999-0517, CVE-2019-20372, CVE-2020-11022, CVE-2020-11023 affect the following OMICRON products: > CMC 256 plus with Images before v2.63 > CMC 353 with Images before v2.63 > CMS 356 with Images before v2.63 > CMC 430 with Images before v2.63 > CMC 840 with Images before v2.63 > CMS 356 with Images before v2.63 > ARCO 400 with Images before v2.63 The RSA Keys Less Than 2048 bits Vulnerability affects the following OMICRON products: > CMC 256 plus with Images before v2.65 > CMC 353 with Images before v2.65 > CMS 356 with Images before v2.65 > CMC 430 with Images before v2.65 > CMC 840 with Images before v2.65 > CMS 356 with Images before v2.65 > ARCO 400 with Images before v2.65 Vulnerability Classification - ---------------------------------------------------------------------------- > CVE-1999-0517 > NVD-CWE-Other: Other > Base: Score 7.5 > Risk Class: High > Vector: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P > CVE-2019-20372 > CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') > Base: Score 5.3 > Risk Class: Medium > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N > CVE-2020-11022 > CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') > Base: Score 6.1 > Risk Class: Medium > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N > CVE-2020-11023 > CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') > Base: Score 6.1 > Risk Class: Medium > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N > RSA Keys Less Than 2048 bits > CWE-320 - Key Management Errors > Base: Score 6.8 > Risk Class: Medium > Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/CR:H/IR:H/AR:M/MAV:L/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H Security Advisory - ---------------------------------------------------------------------------- Mitigation: OMICRON has released new software versions for CMS 356, CMC 256plus, CMC 353, CMC 356, CMC 430, CMC 850, ARCO 400 which fix the nginx, JQuery and RSA key length vulnerabilities. Partial Mitigation: The SNMP Agent Default Community Name (public) - CVE-1999-0517 vulnerability is still present in image version 2.68 in all affected products, but the exposure is significantly smaller. With older images, the SNMP agent runs constantly, with image 2.68 the service runs only when PTP Power Profile V1 is configured, so the service is not started otherwise. When PTP Power Profile V1 is configured, the SNMP agent provides the read-only access to PTP configuration parameters. Required Action: Customers that are using the affected versions are recommended to install the latest update that is available in the customer portal (registration required). More information about CMS 356, CMC 256plus, CMC 353, CMC 356, CMC 430, CMC 850, ARCO 400, including the link to download them, can be found at https://www.omicronenergy.com/en/products/cms-356/ or https://www.omicronenergy.com/en/products/cmc-256plus/ or https://www.omicronenergy.com/en/products/cmc-353/ or https://www.omicronenergy.com/en/products/cmc-356/ or https://www.omicronenergy.com/en/products/cmc-430/ or https://www.omicronenergy.com/en/products/cmc-850/ or https://www.omicronenergy.com/en/products/arco-400/ Acknowledgments - ---------------------------------------------------------------------------- Many thanks to Mr. Lee Luis (ComEd) for reporting the vulnerabilities. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkPJvkWGGIuqv8Qag8BT0uMcuyBgFAmYLs70ACgkQ8BT0uMcu yBgRcA/9HTuosaZtMvotKHAcnNCqqvLKChb/UaQc55U8qXha6PEgjrATmmdddhK8 7y8uF8gtFgHyDHdvJFR8nUaATk1RhQCATBCOSiiojh8jYipszM7hFMgpzzk1X45Y zBdBrpXgnnbURa7kyK8k2dE6tC09PTD9H80q4NnZ2HcNohobl3wz2CekfKlPpNRK chWMVubJVhBa9pPw9R/nQooUlMFl4vK29AAnxXSk6leKe5NevPIZnkhh3FPFMk2o v8O+9I0vSntEGw2vVbTK0Qm+A9baJVorOIRLf/3xCf5zCH238slPu5rFnmdGv+WK qzQEfaCGyH6gE0SxgCBtZfkcfVIvzOgAe45NwY0EgA7SAI6Hmfc9V3HBhe+Qq8lb eZD2tzftHMbGaXNN+YTKQ5+/xoggTFSCfj1tXUd4vwmHSQp9xJO1zkYJ6a0bgNbF P8w3UxOPatgK8UHIEys7LGVeEIUBhEcQhrVPkH4RJFHFh7i42CN4Xb79PTyc6xzD g6iWKxqW05Ml+yWgz0VMSJMyRJJSSu4sI1J9HahzF7pjJhrWCxAn+NvsFj4TwZbO rh7j8plDFVtVd2wNCYZZGYC+K43OAW/Uu0YgdZplRSylrHGU+lKebSKIWbBHz1qt aKS2DopqjeVlIa6wcLey5KbEP9T1npom0uoiEnnqS5KZlb+eR3M= =p3jz -----END PGP SIGNATURE-----