Today the DHS ICS-CERT published a control system security advisory for two vulnerabilities in the Certec EDV atvise scada. The vulnerabilities were reported by Sebastian Neef of Internetwache.org. Certec has produced a new version of the software to mitigate the vulnerability. There is no indication that Neef has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Cross-Site Scripting - CVE-2017-6031; and
• Header Injection - CVE-2017-6029
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary code, affecting the integrity of the device.