Thursday, March 17, 2016

ICS-CERT Updates Advisory and Publishes New Advisory

This morning the DHS ICS-CERT published an update for an advisory published in December for a cross-site scripting vulnerability in the in XZERES 442SR turbine generator operating system (OS). It also published a new advisory for a vulnerability in the ABB Panel Builder 800.


This update corrects the CVE number for the vulnerability. The CVE number published in the original advisory was actually for another cross-site scripting vulnerability in the same equipment that was reported by ICS-CERT in an advisory published in March of last year.

ABB Advisory

This advisory describes a DLL hijacking vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Ivan Sanchez from Nullcode Team. ABB has produced a new version of the software that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an attacker must get malicious code to a specific directory in the file system and then convince an authorized operator to execute the code. ICS-CERT says that this cannot be exploited remotely.

The ABB Security Advisory (not referenced in this advisory) for this vulnerability has a workaround that can be used pending the updating of the software to the newer version. Thanks to Joel Langill for tweeting about this document this morning.

No comments:

/* Use this with templates/template-twocol.html */