This morning the DHS ICS-CERT published two advisories for control system vulnerabilities in systems from Rockwell and Schneider.
This advisory describes a cross-site scripting vulnerability in the Rockwell Automation CompactLogix application that was first reported in an ICS-CERT Alert last August (and updated here). The vulnerability was reported by Aditya Sood. Rockwell has produced a firmware update to mitigate the vulnerability. There is no indication that Sood was provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to deliver an attack to the connected web browser and thus affect availability.
This advisory describes an OS command injection vulnerability in the Schneider StruxureWare Building Operations software. The vulnerability was reported by Karn Ganeshen. Schneider has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided the opportunity to verify the efficacy of the fix. The Schneider Security Notification also reports a weak credential management vulnerability addressed by the same “Automation Server firmware” update that addresses the command injection vulnerability.
ICS-CERT reports that a relatively unskilled attacker who was an authenticated user could remotely exploit this vulnerability to circumvent access controls.