This afternoon the DHS ICS-CERT published an update for last
week’s Advantech Advisory and four new advisories for products from
Advantech, GE, CODESYS and Schneider.
Advantech Update
This update
announces that Advantech has a new version of
WebAccess that mitigates the vulnerabilities identified in this
advisory. There is no indication that the researcher who reported the vulnerabilities
has been provided an opportunity to verify their efficacy.
Advantech describes
this new version as a minor update that includes: “improved Dashboard, security
enhancements, [emphasis added] enhanced stability of OPC tool, supports
segmentation of BAC net driver transmission, improved stability of WASCADA for
RTDB function and solves Dashboards memory leak issues”.
New Advantech
Advisory
This advisory
describes a stack-based buffer overflow vulnerability in Advantechs WebAccess
application. The vulnerability was reported by Ivan Sanchez from Nullcode Team.
Advantech has produced a new version (the same one referenced above) that
mitigates the vulnerability and ICS-CERT reports that Sanchez has verified the
efficacy of the fix.
ICS-CERT reports that a successful exploit of this vulnerability
would require a social engineering attack, which by their definition means that
the vulnerability could not be exploited remotely. It is interesting to note,
however, that similar stack-based overflows were described in the previous
advisory as remotely exploitable by a relative inexperienced operator.
Since neither this advisory nor last week’s identify the
DLLs involved it is not possible to determine if the same DLLs are involved in
the two advisories. It does appear, however, that this advisory may be the
reason for the delay in publication of the new version that caused Praveen
Darshanam to publicly release his proof-of-concept exploit code on the other
vulnerabilities.
GE Advisory
This advisory describes
two vulnerabilities in the GE MDS PulseNET product line. The vulnerabilities were
reported through the HP’s Zero Day Initiativ. GE has produced a new version of
the software involved to mitigate these vulnerabilities. There is no indication
that the original researcher has been provided the opportunity to verify the
efficacy of the fix.
The two vulnerabilities are:
∙ Use of hard coded credentials, CVE-2015-6456; and
∙ Relative
path traversal, CVE-2015-6459
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to operate on the system with
administrative access or read/delete arbitrary files on the system.
The GE
Product Bulletin [.PDF Download] for this advisory identifies Andrea
Micalizzi (rgod) as the researcher who reported the vulnerability.
CODESYS Advisory
This advisory
describes a heap-based buffer overflow vulnerability in the CODESYS Gateway
Server. The vulnerability was reported through the HP Zero Day Initiative by Josep
Pi Rodriguez. 3S has produced a new version that mitigates this vulnerability,
but there is no indication that Rodriguez was provided an opportunity to verify
the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to execute arbitrary code on the
system.
Schneider Advisory
This advisory
describes a clear-text transmission vulnerability in the Schneider StruxureWare
Building Expert product. The vulnerability was reported by Artyom Kurbatov.
Schneider has produced a firmware patch that mitigates the vulnerability and
Kurbatove has verified the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to obtain log-in credentials.
Posts
No comments:
Post a Comment