This afternoon the DHS ICS-CERT published a control system advisory for the Tibbo AggreGate SCADA/HMI package. The twin unrestricted
upload of file with dangerous type vulnerabilities were reported through the
Zero Day Initiative by Andrea Micalizzi (rgod). Tibbo has produced a new
version to mitigate the vulnerability, but there is no indication that
Micalizzi has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that at least one of the vulnerabilities
can be remotely exploited by a relatively unskilled attacker. A successful
exploit if either vulnerability could allow the attacker to execute arbitrary
code and commands.
There seems to be an irregularity between the version number
of the updated version reported in the advisory and the updates available on
the Tibbo web site. ICS-CERT reports that owners should upgrade to 5.30.06. The
Tibbo web site
indicates that 5.30.06 is a pre-release version of the program. I suspect that
that is because Tibbo has not updated their web site to account for people
needing to upgrade due to the vulnerabilities reported in this advisory.
Certainly there is nothing on their web site about the problem.
Posts
No comments:
Post a Comment