This morning the DHS ICS-CERT published an advisory
for a cross-site scripting vulnerability in building controller communications
modules from Siemens. The vulnerability was reported by Aditya Sood. Siemens
has produced a firmware update that mitigates the vulnerability, but there is
no indication that Sood has had a chance to verify the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to change data and settings on the target
device.
The Siemens Advisory does mention the web server login form
as being associated with this vulnerability that the ICS-CERT advisory
describes. On the other hand, the ICS-CERT advisory does not mention needing to
use a social engineering attack (usually prominently featured in ICS-CERT
advisories) to get the user to access a specially crafted web site to exploit
the vulnerability that the Siemens Advisory describes. It is almost as if the
two advisories are describing different vulnerabilities using the same CVE.
NOTE: The different CVSS base scores is more easily
explained because of the different versions of the scoring system used by the
two organizations to calculate those scores.
Posts
No comments:
Post a Comment