Today the DHS ICS-CERT published three control system
security advisories for products from Rockwell, Marel, and Schneider.
Rockwell Advisory
This advisory
describes an improper input validation vulnerability in the Allen-Bradley
Stratix and ArmorStratix Industrial Ethernet and Distribution switches. The
vulnerability is apparently self-reported. Rockwell has developed compensating
controls to mitigate the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to impact the availability of the
target device or to execute arbitrary code with elevated privileges.
This vulnerability is actually found in the Cisco
IOS and Cisco IOS XE software used in the Rockwell products. The same
vulnerability is found in a number of Cisco switches and possibly switches from
other vendors not mentioned in the ICS-CERT advisory.
Marel Advisory
This advisory
describes two vulnerabilities in a variety of Marel Food Processing Systems.
The vulnerabilities were reported by Daniel Lance. ICS-CERT reports that Marel
has not produced any mitigating measures.
The two reported vulnerabilities are:
• Hard-Coded Passwords, CVE-2016-9358;
and
• Unrestricted Upload, CVE-2017-6041
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to
gain unauthorized administrative access to affected devices.
Schneider Advisory
This advisory
describes a DLL vulnerability in the Schneider Interactive Graphical SCADA
System (IGSS) Software. The vulnerability was reported by Karn Ganeshen. Schneider
Electric recommends that users upgrade to Windows 10 to mitigate this
vulnerability.
ICS-CERT reports that an relatively unskilled attacker could
remotely exploit this vulnerability to remotely execute arbitrary code.
The Schneider Security
Notification reports that the vulnerability also applies to certain OCX
files when using Windows 7®.
Posts
No comments:
Post a Comment