This morning the DHS ICS-CERT published an update for an advisory
published
in December for a cross-site scripting vulnerability in the in XZERES 442SR
turbine generator operating system (OS). It also published a new advisory for a
vulnerability in the ABB Panel Builder 800.
XZERES Update
This update
corrects the CVE number for the vulnerability. The CVE number published in the
original advisory was actually for another cross-site scripting vulnerability
in the same equipment that was
reported by ICS-CERT in an advisory published in March of last year.
ABB Advisory
This advisory
describes a DLL hijacking vulnerability in the ABB Panel Builder 800. The
vulnerability was reported by Ivan Sanchez from Nullcode Team. ABB has produced
a new version of the software that mitigates the vulnerability. There is no
indication that Sanchez has been provided an opportunity to verify the efficacy
of the fix.
ICS-CERT reports that an attacker must get malicious code to
a specific directory in the file system and then convince an authorized
operator to execute the code. ICS-CERT says that this cannot be exploited
remotely.
The ABB
Security Advisory (not referenced in this advisory) for this vulnerability
has a workaround that can be used pending the updating of the software to the
newer version. Thanks to Joel Langill for tweeting
about this document this morning.
Posts
No comments:
Post a Comment