ICS-CERT Publishes Meteocontrol Advisory and Meeting Announcement

This morning the DHS ICS-CERT published a control system advisory for a WEB’log application from Meteocontrol. The also published the date for the fall meeting of the ICSJWG.

Meteocontrol Advisory

This advisory describes three vulnerabilities in the Meteocontrol WEB’log application. The vulnerabilities were reported by Karn Ganeshen. Meteocontrol has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Information exposure - CVE-2016-2296;

• No authentication - CVE-2016-2297; and

• Sensitive information exposure - CVE-2016-2298.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to run system commands or access sensitive information.

ICSJWG Fall Meeting

ICS-CERT announced that the Fall 2016 ICSJWG Meeting will be held in Ft. Lauderdale, FL on September 13-15, 2016. The ICSJWG web site will have additional information (including registration and a call for abstracts) in the near future.