Yesterday the DHS ICS-CERT published an
advisory for an XML external entity vulnerability in three Schneider
Electric products. The vulnerability was reported to Schneider by Timur
Yunusov, Alexey Osipov, and Ilya Karpov of Positive Technologies.
ICS-CERT reports that a moderately skilled attacker with
local access to affected systems could exploit this vulnerability to gain
access to information on the system. Schneider
reports that the vulnerability could also lead to a denial of service
attack.
Schneider has produced a series of patches for this vulnerability
for the affected systems. There is no indication in the Advisory that there has
been any outside verification of the efficacy of the patches. Interestingly,
the Schneider disclosure document reminds users that if they must re-install or
repair the affected products that the “should first uninstall the fix,
re-install\repair the affected product(s) and then reinstall the fix”.
Hopefully customers will be able to ensure that this information remains
prominently available over the lifetime of the product.
NOTE: Schneider publicly
released their vulnerability disclosure on July 28th after
making it available on their secure portal on May 9th. The ICS-CERT Advisory does not provide links
to either the disclosure document or the vulnerability report.
Posts
No comments:
Post a Comment