Friday, September 30, 2016

ICS-CERT Publishes Building Control System Advisory

Yesterday the DHS ICS-CERT published a control system security advisory for twin vulnerabilities in the American Auto-Matrix Building Automation Front-End Solutions application. The vulnerabilities were reported by Maxim Rupp. American Auto-Matrix has produced an update to mitigate the vulnerabilities. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Local file inclusion - CVE-2016-2307; and
• Plain text storage of a password - CVE-2016-2308

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to provide an attacker authenticated credentials to all aspects of the system.

No comments:

/* Use this with templates/template-twocol.html */