Today the DHS ICS-CERT published two control system security advisories for products from OmniMetrix and Fatek Automation.
This advisory describes two vulnerabilities in the OmniMetrix OmniView web application. The vulnerabilities were reported by Bill Voltmer of Elation Technologies LLC. OmniMetrix has produced a new version that mitigates the vulnerability. There is no indication that Voltmer was provided an opportunity to verify the efficacy of the fix.
The reported vulnerabilities are:
• Cleartext transmission of sensitive information - CVE-2016-5786; and
• Weak password requirements - CVE-2016-5801
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to control the operation of backup generators connected to the compromised account.
Fatek Automation Advisory
This advisory describes a stack-based buffer overflow vulnerability in the Fatek Automation PLC WinProladder application. The vulnerability was reported by an unidentified researcher through the Zero Day Initiative. ICS-CERT reports that Fatek Automation will not produce a new version to mitigate this vulnerability. ZDI, on the other hand, reports that Fatek Automation will be producing a new version. There is no mention of the vulnerability on the Fatek Automation web site.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to perform a number of malicious actions including arbitrary code execution.