Earlier today the DHS ICS-CERT published three new control system security advisories for products from Meinberg, Unitronics, and Rockwell.
This advisory describes multiple vulnerabilities in the Meinberg NTP Time Servers Interface. The vulnerabilities were reported by Ryan Wincey. Meinberg has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Wincey has verified the efficacy of the fix.
The vulnerabilities include:
• Twin stack-based buffer overflows - CVE-2016-3962 and CVE-2016-3988; and
• Privilege escalation - CVE-2016-3989
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to cause a buffer overflow condition that may allow escalation to root privileges.
This advisory describes a stack-based overflow vulnerability in the Unitronics VisiLogic product. The vulnerability was reported by Steven Seeley of Source Incite via ZDI. Unitronics has produced a new version that mitigates the vulnerability. There is no indication that Seeley has been given an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to remotely execute arbitrary code.
The Unitronics’ CERT Compliance page reports that the vulnerability is in the 'Xceed Zip Compression Library' (the XceedZip.dll), - a 3rd party component from Xceed. Unitronics upgraded to version 6.5.16068.0 in their updated version.
NOTE: Once again a vulnerability in a 3rd party library raises the question of what other control system programs are using the vulnerable version of this .DLL?
This advisory describes a resource management vulnerability in the Rockwell Allen-Bradley Stratix 5400 and Allen-Bradley Stratix 5410 industrial networking switches. The vulnerability is apparently self-reported.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to impact traffic (or packets) transiting the affected device.