Today the DHS ICS-CERT published two control system security
advisories for products from GE and Phoenix Contact. The GE advisory was
previously published on the NCCIC Portal on December 1st, 2016.
GE Advisory
This advisory
describes an insufficiently protected credentials vulnerability in the GE
Proficy Human-Machine Interface/Supervisory Control and Data Acquisition
(HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software.
The vulnerability was reported by Ilya Karpov of Positive Technologies. GE has
produced new versions that mitigate the vulnerability. There is no indication
that Karpov has been provided the opportunity to verify the efficacy of the
fix.
ICS-CERT reports that a highly skilled attacker could
exploit the vulnerability with local access and user interaction. This,
however, was the vulnerability that ICS-CERT thought posed enough of a threat
to critical infrastructure that it required advance notice to critical
infrastructure facilities.
Phoenix Contact Advisory
This advisory
describes a default password vulnerability in the Phoenix Contact mGuard
product that was induced in the system by updating with version 8.4.1. Phoenix
Contact self-reported this vulnerability.
Posts
No comments:
Post a Comment