This afternoon the DHS ICS-CERT published two control system
advisories on their web site. For some reason, probably an oversight, they did
not list the two advisories on the landing page
of their web site. They were reported on TWITTER® (here and here) and are
listed on the Advisories
page of their web site. The advisories report multiple vulnerabilities in
systems from Omron and Honeywell.
Omron Advisory
This advisory
describes vulnerabilities reported by Joel Sevilleja Febrer of S2 Grupo with
Omron’s NS series HMI terminals. ICS-CERT reports that Omron has produced an
update that mitigates the vulnerabilities, but there are no indications that
Sevilleja has had the opportunity to verify the efficacy of the effort.
The twin vulnerabilities are:
• Cross-site request forgery - CVE-2014-2369;
and
• Cross-site scripting - CVE-2014-2370.
ICS-CERT reports that it would take a moderately to highly
skilled attacker to remotely exploit these vulnerabilities. The advisory
provides separate links to the new versions of each affected system.
Interestingly, I can find no mention of the updated versions or the security
issues requiring the update at the links provided.
Honeywell Advisory
This advisory
describes vulnerabilities reported by Martin Jartelius of Outpost24 and Juan
Francisco Bolivar in the Honeywell Falcon XLWeb controller. ICS-CERT reports
that Honeywell has produced an update that deals with both vulnerabilities, but
there is no indication that the researchers have been given the opportunity to
verify the efficacy of the fix.
The twin vulnerabilities are:
• File accessible to external
parties - CVE-2014-2717;
and
• Cross-site scripting - CVE-2014-3110.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit these vulnerabilities. Honeywell’s report on these
vulnerabilities is only available to registered owners.
NOTE: This advisory was previously posted to the US-CERT
Secure Portal. Once again, I urge all control system owner, integrators and
security researchers to register for access to this portal for valuable advance
notice of advisories like this.
Posts
No comments:
Post a Comment