This afternoon the DHS ICS-CERT published
an alert on an uncoordinated disclosure of multiple vulnerabilities in the Sinapsi
eSolar Light Photovoltaic System Monitor. The disclosure was made by Roberto
Paleari and Ivan Speziale, who
described the vulnerable system as being
the Schneider Electric Ezylog photovoltaic SCADA management server.
ICS-CERT notes that the Italian company produces the system that is used by
multiple vendors including Schneider Electric.
The multiple vulnerabilities reported were:
• Hard-coded Credentials
• SQL Injection
• Command Execution
• Broken Session
Enforcement
Tomorrow’s ICS-CERT Alerts?
Joel Langill reports
on his SCADAHacker Blog that Gleg has released SCADA+ Exploit Pack V 1.18 that
includes 0-day exploits for three separate SCADA systems; Elipse E3, Carel
PlantVisor, and QNX FTPD. Joel has a brief synopsis of the vulnerabilities. I
would expect for ICS-CERT to address these vulnerabilities tomorrow. I suspect
that these may be advisories instead of alerts; there were some TWEETS® sometime
last month about Gleg related releases on the secure US CERT server.
Posts
No comments:
Post a Comment