Tuesday, September 19, 2017

ICS-CERT Publishes PHOENIX CONTACT Advisory

Today the DHS ICS-CERT published a control system security advisory for products from PHOENIX CONTACT. They also provided a link to a British publication: “Code of Practice CyberSecurity for Ships”.

PHOENIX CONTACT Advisory


This advisory describes ten improper access control vulnerabilities in the PHOENIX CONTACT mGuard Device Manager. The vulnerabilities are related to the Oracle Java SE implementation in the product. These vulnerabilities were self-reported by PHOENIX CONTACT. They have a new version that mitigates the vulnerabilities.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow unauthorized remote access, modification of data, and may allow remote and local users to gain elevated privileges.

Once again, we see a vulnerability caused by third party software and there is an open question about what other software systems have the same vulnerabilities. Interesting though that these 10 Oracle vulnerabilities are all dated in 2017. Makes it even more likely that other vendors using the same Oracle software will have not discovered/mitigated the vulnerabilities in their products.

Cyber Security for Ships



The code of practice document was produced for the British Government by the Institution of Engineering and Technology. It provides a high-level overview of the topic including an interesting overview of the threat environment for the shipping industry. Appendix D provides a non-technical description of how mitigation measures can be developed and Appendix H provides a lengthy bibliography of cybersecurity standards for both IT and operational systems.

No comments:

 
/* Use this with templates/template-twocol.html */