It has been three weeks since ICS-CERT last published an
advisory. Yesterday they published an advisory for an improper input
validation vulnerability on the GE Cimplicity system. The vulnerability was
discovered by two researchers, ZombiE and amisto0x07, that was released in a
coordinated disclosure via a HP TippingPoint’s Zero Day Initiative.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to execute arbitrary code on the system. GE
has released updates for the affected systems, but ICS-CERT does not report
that anyone has independently verified the efficacy of the fix.
The GE
Security Advisory for this vulnerability actually describes this as “multiple
vulnerabilities” as the problem exists when GlobalView, WebView or ThinView are
enabled. GE recommends that these views should be disabled if not being used
and provides instructions for doing so. If GlobalView is needed it should be
configured to run with the IIS web server.
BTW: GE published
their advisory on June 18th. I would like to think that the delay in
publishing the ICS-CERT version was so that it could be released on the
restricted US-CERT server to allow owners with access to that service a chance
to correct the problem before public disclosure was made. But, ICS-CERT usually
mentions that in their advisories when that occurs.
Posts
No comments:
Post a Comment