This afternoon DHS ICS-CERT published a control systemadvisory for two vulnerabilities reported in the Unitronics VisiLogic OPLC IDE.
The vulnerabilities were reported (through ZDI) by Steven Seeley of Source
Incite, Fritz Sands of ZDI, and Andrea Micalizzi. Unitronics has produced an
update package but there is no indication that any of the researchers were provided
the opportunity to verify the efficacy of the fix.
The two vulnerabilities were:
• Unsafe ActiveX control marked
safe for scripting – CVE-2015-6478;
and
• Code injection – CVE-2015-7905
ICS-CERT reports that a moderately skilled attacker could
remotely exploit these vulnerabilities to execute arbitrary code.
There is nothing on the Unitronics web site or in the version
documentation that describes the security vulnerabilities. There is the
possibility that Unitronics directly contacted their customers during the period
that this vulnerability was listed on the US CERT Secure Portal (posted
November 3rd, 2015).
Actually, looking at the vulnerability ID number assigned by
ICS-CERT (ICSA-15-274-02) it would seem that the advisory was probably placed
on the Secure Portal on October 1st when the
Omron advisory (ICSA-15-274-01) was published. Either that, or something
happened at the last minute to cause ICS-CERT to hold the advisory for more
than a month.
BTW: If you had been following the ICS-CERT notices on the
Secure Portal, you would have already known about this vulnerability. If you
are a critical infrastructure owner or cybersecurity officer see the bottom of
the ICS-CERT landing page for
instructions on how to apply for access.
Posts
No comments:
Post a Comment