Tuesday, April 7, 2015

ICS-CERT Publishes Surveillance Software Advisory

This morning the DHS ICS-CERT published an advisory for the  Moxa VPort ActiveX SDK Plus IP video surveillance application. The advisory is for a stack-based buffer overflow vulnerability reported by Ariele Caltabiano. Moxa has produced a new version that corrects the vulnerability but there is no indication that Caltabiano has been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code on the system. Moxa reports that the new version was available almost a month ago.

On an unrelated side note, Moxa reports that it continues to support this product on systems running Windows XP and Windows Vista. That would seem to indicate that they expect a significant number of their customers to still be using these outdated and unsupported systems for video surveillance purposes. This vulnerability may be the least of their security problems.

No comments:

/* Use this with templates/template-twocol.html */