This morning the DHS ICS-CERT published three advisories for
control system vulnerabilities in systems from Everest Software, IBC Solar and
Resource Data Management.
Everest Advisory
This advisory
describes two pointer dereference vulnerabilities in the Everest Software LLC
PeakHMI application. The vulnerabilities were reported by Josep Pi Rodriguez.
Everest has produced a new version that mitigates the vulnerabilities, but
there is no indication that Rodrigues has verified the efficacy of the fix.
This advisory was released to the US CERT Secure portal on August 20th,
2015 and is probably one of the ones that I
mentioned last week.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability.
ICS-CERT has two additional mitigation activities to
recommend in addition to their standard recommendations for HMI systems. They
are:
• Carefully monitor or block
traffic to Port 49454.
• Disable the video server if it is not being used.
This video server is only for remote HMI video support. (It is disabled by
default on installation)
IBC Solar Advisory
This advisory
describes three vulnerabilities in two different IBC Solar products. The
vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that IBC Solar
has not mitigated these vulnerabilities
The three vulnerabilities are:
• Disclosure of source code, CVE-2015-6469;
• Plain text passwords, CVE-2015-6474;
and
• Cross-site scripting, CVE-2015-6475
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities.
For the first two vulnerabilities ICS-CERT suggests
upgrading to a source that does not have these vulnerabilities. It sounds to me
like they are recommending a new vendor, but they don’t come right out and say
that (DHS lawyers will be happy). For the cross-site scripting vulnerability they
recommend data validation and they also provide a link to an NSA
fact sheet on XSS.
Resource Data
Management Advisory
This advisory
describes two vulnerabilities in the Resource Data Management Data Manager
application. The vulnerabilities were reported by Maxim Rupp. Resource Data
Management has produced a new version that mitigates the vulnerability, but
there is no indication that Rupp has been given the opportunity to verify the
efficacy of the fix.
The two vulnerabilities are:
• Privilege escalation, CVE-2015-6470;
and
• Cross-site request forgery, CVE-2015-6468
ICS-CERT reports that
a relatively low skilled attacker could remotely exploit these vulnerabilities.
Posts
No comments:
Post a Comment