Today the DHS ICS-CERT published an advisory
describing a vulnerability in the Invensys Wonderware Win-XML Exporter. The
improper input validation vulnerability was reported by Timur Yunusov, Alexey
Osipov, and Ilya Karpov of the Positive Technologies
Research Team in a coordinated disclosure. This advisory was originally released
on the US-CERT Secure Portal on March 8th, 2013.
ICS-CERT reports that an attacker with a moderate skill set
could exploit this vulnerability to conduct a DoS attack or gain access to system
information. The advisory states that this vulnerability is not remotely
exploitable, but it looks like a social engineering attack could cause a system
user to access a specially crafted XML file to execute the attack.
Invensys has developed an update for the Win-XML Exporter
that mitigates the vulnerability and it is available on the company
download site. This has been validated by the original researchers.
Posts
No comments:
Post a Comment