The afternoon the DHS ICS-CERT updated (up to ‘F’ now) their
Situational Awareness Alert for the OpenSSL vulnerability. They also published
new advisories for vulnerabilities in systems from Trihedral Engineering and
Yokogawa.
HeartBleed
This update adds
ABB to the list of vendors with affected products. The Relion 650 series has a
patch available to mitigate the vulnerability. There is no explanation as to
why this update was so long in coming. The last HeartBleed
update was published back in April and ABB
published their advisory in July.
Trihedral Advisory
This advisory describes
an integer overflow vulnerability in their VTS and VTScada products. The
vulnerability was reported by an anonymous researcher through ZDI. ICS-CERT
reports that Trihedral has produced a patch that mitigates the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to cause the application to crash.
Interestingly the Trihedral
update page says nothing about this vulnerability in their upgrade
descriptions. ZDI
does report that they notified Trihedral of this vulnerability (ZDI-CAN-2599)
on November 19th so this was a very quick response.
Yokogawa Advisory
This advisory
reports an XML external entity processing vulnerability in the Yokogawa
FAST/TOOLS application. The vulnerability was reported by Timur Yunusov, Alexey
Osipov, and Ilya Karpov of Positive Technologies Inc. ICS-CERT reports that Yokogawa
has developed a service pack that mitigates this vulnerability, but no mention
is made that the researchers have verified the efficacy of the fix.
ICS-CERT reports that it would be difficult to craft an
exploit of this vulnerability and local access would be required. Yokogawa
also reports (in their CVSS calculation) that local access is required, but
note that it can be exploited by an attacker that “intrudes into the WebHMI
server in any way”. Something may be lost in translation there because that
sounds to me like remote access could be used to exploit this vulnerability.
I mentioned
earlier that Yokogawa had publicly reported this vulnerability over a week
and a half ago; not very timely reporting by ICS-CERT.
Posts
No comments:
Post a Comment