Blog

C-More HMI Vulnerabilities, July 2020: Solutions

Jul 23, 2020

Co-Authors: Ta-Lun Yen, Chizuru Toyama, Queenie Liao, Daniel Chiu

 

 

To protect against exploitation of the recent vulnerabilities in C-More HMIs, TXOne provides the following IPS rules.

 

 

CVE-2020-10918

1137300

ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 0

1137301

ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 1

1137302

ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 2-F/Flow

 

CVE-2020-10920

1137290

ICS C-MORE HMI EA9 Control Port Missing Authentication for Critical Function RCE (CVE-2020-10920)

 

CVE-2020-10921 and CVE-2020-10922

1137289

ICS C-MORE HMI EA9 EA-HTTP RCE and DoS Vulnerability -1.1 (CVE-2020-10921, CVE-2020-10922)

 

The corresponding pseudo snort rules for reference are also listed below.

 

 

CVE-2020-10918

alert TCP Others any any -> any 11102

(msg:”ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 0″;

flow:to_server,established; dsize:64;

content:”|40 00 0D|”; depth:+3; sec:Any/Any; fixed;

classtype: Misc, v2classtype: ICS threats; priority:3;

flowbits:set,CVE-2020-10918.init;

flowbits:noalert; sid:1137300;)

alert TCP Others any 11102 -> any any

(msg:”ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 1″;

flow:to_client,established; dsize:16;

content:”|01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|”; depth:+16; sec:Any/Any; fixed;

classtype: Misc, v2classtype: ICS threats; priority:3;

flowbits:isset,CVE-2020-10918.init;

flowbits:set,CVE-2020-10918.login;

flowbits:noalert; sid:1137301;)

alert TCP Others any any -> any 11102

(msg:”ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 2-F/Flow”;

flow:to_server,established; dsize:64;

content:”|40 00 01|”; depth:+3; sec:Any/Any; fixed;

classtype: Misc, v2classtype: ICS threats; priority:4;

flowbits:isset,CVE-2020-10918.init;

flowbits:isnotset,CVE-2020-10918.login; sid:1137302;)

 

 

 

CVE-2020-10920

alert TCP Others any any -> any 9999

(msg:”ICS C-MORE HMI EA9 Control Port Missing Authentication for Critical Function RCE (CVE-2020-10920)”;

flow:to_server,established;

content:”|CF CF CF CE CF CF CF CC CF CF CF CF CF CF CD|”; depth:+15; sec:Any/Any;

content:”|A3 F6 BC BA A7 BA A0 C6 BE BA F6|”; within:+64; sec:Any/Any;

classtype: Misc, v2classtype: ICS threats; priority:4; sid:1137290;)

 

 

CVE-2020-10921 and CVE-2020-10922

alert TCP HTTP any any -> any 80:

(msg:”ICS C-MORE HMI EA9 EA-HTTP RCE and DoS Vulnerability -1.1 (CVE-2020-10921, CVE-2020-10922)”;

flow:to_server,established;

http_field_len:Raw-URL,=,4:8;!Referer;

regex:”(/runtime |/system |/log )”; nocase; sec:HTTP_URL/Any;

regex:”(\{\”method\”\:\”get|\{\”method\”\:\”set|\{\”method\”\:\”chg|\{\”method\”\:\”clickScreen|\{\”method\”\:\”blinkPanel|\{\”method\”\:\”touch)”; nocase; sec:HTTP_Body/Other_File;

classtype: Misc, v2classtype: ICS threats; priority:4; sid:1137289;)

 

 

Learn more about HMIs, these specific vulnerabilities, and prevention guidelines here.

Photo of two men investigating factory equipment taken by Science in HD on Unsplash

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​