Thursday, March 12, 2015

ICS-CERT Publishes Schneider Advisory

Today the DHS ICS-CERT published an advisory for a buffer overflow vulnerability in the Schenider Pelco DS-NVs software package (video management software). The vulnerability was reported by Ariele Caltabiano (kimiya) and Andrea Micalizzi (rgod) via the HP Zero Day Initiative. Schneider has produced a patch which mitigates the vulnerability but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code.

Neither this advisory nor the Schneider notification identify the vulnerable DLL involved in this vulnerability so it is not possible to tell if the vulnerability would be unique to this application or if it might be found in multiple Schneider products.

No comments:

/* Use this with templates/template-twocol.html */