Earlier today the DHS ICS-CERT published an
advisory covering multiple vulnerabilities in Invensys Wonderware
Information Server products. The coordinated disclosure was made by Timur
Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies
Research Team. The multiple vulnerabilities included:
• Cross-site scripting, CVE-2013-0688;
• SQL injection, CVE-2013-0684;
• Inproper input validation, CVE-2013-0686;
and
• Resource exhaustion, CVE-2013-0685.
NOTE: These CVE links will not be functional for a couple of
days.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit these vulnerabilities to execute remote code, disclose
information, or perform session credential high jacking. The advisory notes
that Invensys has developed a software
update (registration required) that has been verified by PTR to mitigate
the identified vulnerabilities.
These are old school vulnerabilities that should have been
identified a long time back. I think the reason they are just turning up now is
that they are in an ICS server. It looks like researchers are expanding the
areas in which they are searching for ICS vulnerabilities. How many other types
of ICS equipment will have similar vulnerabilities that would allow access to
the control system?
BTW: A couple
of posts back I noted that ICS-CERT had changed their format for these
advisories and that one of the changes was the removal of the Traffic Light
Protocol (TLP) markings. I just noticed that this advisory still includes a description
of the TLP white marking that shows up near the top of page 3 on the .PDF saved
version of the advisory. This is the first time this FAQ has shown up on an
advisory since the format change.
Posts
No comments:
Post a Comment