This afternoon the DHS ICS-CERT published two control system advisories for products from Schneider and Advantech.
This advisory describes a cross-site scripting vulnerability in the Schneider Electric PowerLogic PM8ECC communications add-on module for the Series 800 PowerMeter. The vulnerability is apparently self-reported. Schneider has produced a firmware update for the module.
Schneider published their Security Notice on this vulnerability on May 11th, 2016.
This advisory describes multiple vulnerabilities in the Advantech WebAccess product. The vulnerabilities were reported by Zhou Yu of Acorn Network Security. Advantech has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Zhou has had a chance verify the efficacy of the fix.
The vulnerabilities include:
• Unsafe ActiveX controls marked as safe for scripting - CVE-2016-4525; and
• Classic buffer overflow - CVE-2016-4528.
ICS-CERT reports that a social engineering attack is required to exploit these vulnerabilities, but a successful exploit could allow an attacker to insert and run arbitrary code on an affected system.
The Advantech version notes for the new version (8.1_20160519) produced to correct these vulnerabilities mentions ‘buffer-overrun’ vulnerabilities in BwAspObj.dll and cellvision.ocx, but it does not mention any ActiveX vulnerabilities. It does, however, mention a vulnerability to reveal password in Project User web page that was not mentioned in the ICS-CERT advisory.