C-More HMI Vulnerabilities, July 2020: Solutions

Co-Authors: Ta-Lun Yen, Chizuru Toyama, Queenie Liao, Daniel Chiu

To protect against exploitation of the recent vulnerabilities in C-More HMIs, TXOne provides the following IPS rules.

CVE-2020-10918

1137300

ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 0

1137301

ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 1

1137302

ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 2-F/Flow

CVE-2020-10920

1137290

ICS C-MORE HMI EA9 Control Port Missing Authentication for Critical Function RCE (CVE-2020-10920)

CVE-2020-10921 and CVE-2020-10922

1137289

ICS C-MORE HMI EA9 EA-HTTP RCE and DoS Vulnerability -1.1 (CVE-2020-10921, CVE-2020-10922)

The corresponding pseudo snort rules for reference are also listed below.

–

CVE-2020-10918

alert TCP Others any any -> any 11102

(msg:”ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 0″;

flow:to_server,established; dsize:64;

content:”|40 00 0D|”; depth:+3; sec:Any/Any; fixed;

classtype: Misc, v2classtype: ICS threats; priority:3;

flowbits:set,CVE-2020-10918.init;

flowbits:noalert; sid:1137300;)

alert TCP Others any 11102 -> any any

(msg:”ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 1″;

flow:to_client,established; dsize:16;

content:”|01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|”; depth:+16; sec:Any/Any; fixed;

classtype: Misc, v2classtype: ICS threats; priority:3;

flowbits:isset,CVE-2020-10918.init;

flowbits:set,CVE-2020-10918.login;

flowbits:noalert; sid:1137301;)

alert TCP Others any any -> any 11102

(msg:”ICS C-MORE HMI EA9 Authentication Bypass Vulnerability (CVE-2020-10918) state 2-F/Flow”;

flow:to_server,established; dsize:64;

content:”|40 00 01|”; depth:+3; sec:Any/Any; fixed;

classtype: Misc, v2classtype: ICS threats; priority:4;

flowbits:isset,CVE-2020-10918.init;

flowbits:isnotset,CVE-2020-10918.login; sid:1137302;)

–

CVE-2020-10920

alert TCP Others any any -> any 9999

(msg:”ICS C-MORE HMI EA9 Control Port Missing Authentication for Critical Function RCE (CVE-2020-10920)”;

flow:to_server,established;

content:”|CF CF CF CE CF CF CF CC CF CF CF CF CF CF CD|”; depth:+15; sec:Any/Any;

content:”|A3 F6 BC BA A7 BA A0 C6 BE BA F6|”; within:+64; sec:Any/Any;

classtype: Misc, v2classtype: ICS threats; priority:4; sid:1137290;)

–

CVE-2020-10921 and CVE-2020-10922

alert TCP HTTP any any -> any 80:

(msg:”ICS C-MORE HMI EA9 EA-HTTP RCE and DoS Vulnerability -1.1 (CVE-2020-10921, CVE-2020-10922)”;

flow:to_server,established;

http_field_len:Raw-URL,=,4:8;!Referer;

regex:”(/runtime |/system |/log )”; nocase; sec:HTTP_URL/Any;

regex:”(\{\”method\”\:\”get|\{\”method\”\:\”set|\{\”method\”\:\”chg|\{\”method\”\:\”clickScreen|\{\”method\”\:\”blinkPanel|\{\”method\”\:\”touch)”; nocase; sec:HTTP_Body/Other_File;

classtype: Misc, v2classtype: ICS threats; priority:4; sid:1137289;)

Learn more about HMIs, these specific vulnerabilities, and prevention guidelines here.

Photo of two men investigating factory equipment taken by Science in HD on Unsplash