Today the DHS ICS-CERT published two control system security
advisories for products from GE and Tollgrade.
GE Proficy Advisory
This advisory
describes an improper privilege management vulnerability in earlier versions of
the GE Proficy HMI/SCADA CIMPLICITY application. The vulnerability was reported
by Zhou Yu of Acorn Network Security. GE notes that subsequent versions of the
application do not contain the vulnerability, having been corrected by August
2014.
ICS-CERT reports that local access is required or that a
remote exploit would require a social engineering attack. Exploit code is publicly available (link not
provided in ICS-CERT Advisory).
The GE Product Security Advisory for this vulnerability
recommends upgrading to a newer version of the application, but it also
provides commands that serve to mitigate the vulnerability in the affected
versions.
Tollgrade Advisory
This advisory
describes three vulnerabilities in the Tollgrade Communications, Inc. Smart
Grid LightHouse Sensor Management System (SMS) Software EMS. The vulnerabilities
were reported by Ashish Kamble of Qualys, Inc. Tollgrade has produced a new
version that mitigates the vulnerabilities. ICS-CERT reports that Kamble has
tested the new version to verify the efficacy of the fix.
The vulnerabilities are:
• Missing authentication for
critical application - CVE-2016-5790;
• Information exposure through an
error message - CVE-2016-5797; and
• Forced browsing - CVE-2016-5807
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerabilities to restart the system, brute force a
login, or change privileged parameters.
Posts
No comments:
Post a Comment