Today the DHS ICS-CERT published two control system security
advisories for products from Moxa and Vanderbilt Industries.
Moxa Advisory
This advisory describes
multiple vulnerabilities in the Moxa SoftCMS Webserver Application. The
vulnerabilities were reported by Zhou Yu (through the Zero Day Initiative) and
Gu Ziqiang from Huawei Weiran Labs. Moxa has produced an update to mitigate the
vulnerability. ICS-CERT reports that both researchers have validated the
efficacy of the fix.
The reported vulnerabilities are:
• Improper input validation - CVE-2016-9332;
• Double free - CVE-2016-8360; and
• SQL injection - CVE-2016-9333
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to execute arbitrary commands on the
target system, as well as gain access to administrative functions of the
application.
Vanderbilt Industries Advisory
This advisory describes
an insufficiently protected credential vulnerability in the Siemens-branded IP
cameras from Vanderbilt Industries. Vanderbilt bought the security
product line from Siemens in 2015. It appears that Siemens produced updates
for the cameras that mitigate the vulnerability.
ICS-CERT reports that a relatively unskilled attacker with
network access to the web server could remotely exploit this vulnerability to allow
the attacker to obtain administrative credentials.
It is interesting that Siemens published a Security
Notice for this vulnerability and publicized
that notice on TWITTER®. BTW: I can find no mention of this vulnerability on
the Vanderbilt Industries web site.
Posts
No comments:
Post a Comment