This afternoon the DHS ICS-CERT updated a Siemens advisory
for SIMATIC HMI Devices and publishes a new advisory for Schneider
Electric InduSoft Wb Studio.
Siemens Update
This update notes
that Siemens is now
reporting that all of the affected HMI devices now have updates available
to mitigate the three vulnerabilities reported in the original
advisory back in April. It also adds three different types of SIMATIC HMI
panels to the list of affected and mitigated products.
Schneider Advisory
This advisory
describes a clear-text storage of sensitive information vulnerability in Schneider’s
Electric InduSoft Web Studio and InTouch Machine. The vulnerability was
originally reported by Gleb Gritsai, Alisa Esage Shevchenko, Ilya Karpov, and
the team from Positive Technologies Security. Schneider has produced patches to
mitigate the vulnerability but there is no indication that the researchers have
been given the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker with
local access can obtain project passwords from the configuration file. These
can then be used to execute arbitrary code.
NOTE: The link provided in the Advisory for the Schneider
report on the InduSoft version of this vulnerability does not get to the
report; Schneiderdoes not yet have the vulnerability listed. Here is the direct
link.
Posts
No comments:
Post a Comment