Today the DHS ICS-CERT published two control system security advisories for products from Moxa and Vanderbilt Industries.
This advisory describes multiple vulnerabilities in the Moxa SoftCMS Webserver Application. The vulnerabilities were reported by Zhou Yu (through the Zero Day Initiative) and Gu Ziqiang from Huawei Weiran Labs. Moxa has produced an update to mitigate the vulnerability. ICS-CERT reports that both researchers have validated the efficacy of the fix.
The reported vulnerabilities are:
• Improper input validation - CVE-2016-9332;
• Double free - CVE-2016-8360; and
• SQL injection - CVE-2016-9333
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary commands on the target system, as well as gain access to administrative functions of the application.
Vanderbilt Industries Advisory
This advisory describes an insufficiently protected credential vulnerability in the Siemens-branded IP cameras from Vanderbilt Industries. Vanderbilt bought the security product line from Siemens in 2015. It appears that Siemens produced updates for the cameras that mitigate the vulnerability.
ICS-CERT reports that a relatively unskilled attacker with network access to the web server could remotely exploit this vulnerability to allow the attacker to obtain administrative credentials.