This afternoon the DHS ICS-CERT published an
advisory for a pair of self-reported vulnerabilities in the RuggedCom
devices with ROS firmware. Siemens
reported the vulnerabilities today as well as announcing the availability
of a firmware update that mitigates the vulnerabilities.
ICS-CERT describes the vulnerabilities as:
• Use of insufficiently random values,
CVE-2013-6925;
and
• Authentication bypass issues, CVE-2013-6926
NOTE: The CVE links are not yet
active.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to be able to perform limited
administrative operations over the network. Siemens notes that an attacker must
have network access (port 443/tcp) to the affected devices for both vulnerabilities.
BTW: Siemens
ProductCERT also published another industrial control system advisory
today for a privilege escalation vulnerability in the COMOS engineering
solution. Siemens has patches available for the affected versions of COMOS.
There is no indication of why ICS-CERT does not have a similar advisory
published.
Posts
No comments:
Post a Comment