This morning the DHS ICS-CERT published a control system advisory for a WEB’log application from Meteocontrol. The also published the date for the fall meeting of the ICSJWG.
This advisory describes three vulnerabilities in the Meteocontrol WEB’log application. The vulnerabilities were reported by Karn Ganeshen. Meteocontrol has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided the opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Information exposure - CVE-2016-2296;
• No authentication - CVE-2016-2297; and
• Sensitive information exposure - CVE-2016-2298.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to run system commands or access sensitive information.