Note:
It’s been a busy week at my real job, so some stuff is being posted much later
than normal.
On
Thursday DHS ICS-CERT published an advisory for two vulnerabilities in the
DeltaV product from Emerson. The vulnerabilities were reported to Emerson in a
coordinated disclosure by a team (Kirill Nesterov, Alexander Tlyapov, Dmitry
Nagibin, Alexey Osipov, and Timur Yunusov) from Positive Technologies. Emerson
has produced a patch to mitigate the vulnerabilities, but there is no
indication in the advisory if Positive Technologies has had a chance to
validate the efficacy of the patch.
The
two vulnerabilities are:
• Improper authorization - CVE-2014-2349;
• Hard-coded credentials - CVE-2014-2350.
ICS-CERT
reports that a relatively unskilled attacker with local access and a successful
social engineering attack could exploit these vulnerabilities to conduct a
denial of service attack or read/replace configuration files, or log into
accounts.
Emerson
only releases their advisories to customers so no other information on this
vulnerability is publicly available.
Posts
No comments:
Post a Comment