This morning the DHS ICS-CERT published an advisory
for a number of vulnerabilities in the Panasonic FPWIN Pro application. The
vulnerabilities were reported through ZDI by Steven Seeley. Panasonic has
developed a new version of the software that mitigates the vulnerability. There
is no indication that Seeley has been given the opportunity to verify the
efficacy of the fix.
The vulnerabilities include:
• Heap-based buffer overflow
vulnerabilities - CVE-2016-4499;
• Access of uninitialized pointer -
CVE-2016-4498;
• Out-of-bounds write -
CVE-2016-4496; and
• Type confusion - CVE-2016-4497
ICS-CERT reports that a social engineering attack would be
required to exploit these vulnerabilities.
NOTE: It has now been 11 days since Siemens
announced that they had updated their
advisory on frame padding in ROS devices. ICS-CERT has not yet updated their
advisory on this vulnerability. The updated provides additional information
about which products are affected by the vulnerability.
Posts
No comments:
Post a Comment