This morning the DHS ICS-CERT published an advisory
for the Moxa VPort ActiveX SDK Plus IP video surveillance application.
The advisory is for a stack-based buffer overflow vulnerability reported by Ariele
Caltabiano. Moxa has produced a new version that corrects the vulnerability but
there is no indication that Caltabiano has been given the opportunity to verify
the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to execute arbitrary code on the system.
Moxa reports
that the new version was available almost a month ago.
On an unrelated side note, Moxa reports that it continues to
support this product on systems running Windows XP and Windows Vista. That
would seem to indicate that they expect a significant number of their customers
to still be using these outdated and unsupported systems for video surveillance
purposes. This vulnerability may be the least of their security problems.
Posts
No comments:
Post a Comment