Thursday, March 17, 2016

ICS-CERT Updates Advisory and Publishes New Advisory

This morning the DHS ICS-CERT published an update for an advisory published in December for a cross-site scripting vulnerability in the in XZERES 442SR turbine generator operating system (OS). It also published a new advisory for a vulnerability in the ABB Panel Builder 800.

XZERES Update


This update corrects the CVE number for the vulnerability. The CVE number published in the original advisory was actually for another cross-site scripting vulnerability in the same equipment that was reported by ICS-CERT in an advisory published in March of last year.

ABB Advisory


This advisory describes a DLL hijacking vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Ivan Sanchez from Nullcode Team. ABB has produced a new version of the software that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an attacker must get malicious code to a specific directory in the file system and then convince an authorized operator to execute the code. ICS-CERT says that this cannot be exploited remotely.


The ABB Security Advisory (not referenced in this advisory) for this vulnerability has a workaround that can be used pending the updating of the software to the newer version. Thanks to Joel Langill for tweeting about this document this morning.

No comments:

 
/* Use this with templates/template-twocol.html */