Tuesday, May 10, 2016

ICS-CERT Publishes Panasonic Advisory

This morning the DHS ICS-CERT published an advisory for a number of vulnerabilities in the Panasonic FPWIN Pro application. The vulnerabilities were reported through ZDI by Steven Seeley. Panasonic has developed a new version of the software that mitigates the vulnerability. There is no indication that Seeley has been given the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Heap-based buffer overflow vulnerabilities - CVE-2016-4499;
• Access of uninitialized pointer - CVE-2016-4498;
• Out-of-bounds write - CVE-2016-4496; and
• Type confusion - CVE-2016-4497

ICS-CERT reports that a social engineering attack would be required to exploit these vulnerabilities.

NOTE: It has now been 11 days since Siemens announced that they had updated their advisory on frame padding in ROS devices. ICS-CERT has not yet updated their advisory on this vulnerability. The updated provides additional information about which products are affected by the vulnerability.

No comments:

/* Use this with templates/template-twocol.html */