Today the DHS ICS-CERT published a new control system
security advisory for a product from CA Technologies. Earlier this week I
missed the fact that they also updated a previously published (and much
updated) advisory for multiple products from Siemens.
CA Technologies Advisory
This advisory
describes a directory traversal vulnerability in the CA Technologies Unified
Infrastructure Management application. The vulnerability was reported by Andrea
Micalizzi (rgod), working with Zero Day Initiative. CA Technologies has
produced an update to mitigate the vulnerability. There is no indication that
Andrea has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to create or overwrite critical files that
are used to execute code, such as programs or libraries.
The CA Technologies Security
Notice (not referenced in the ICS-CERT Advisory) includes two additional
vulnerabilities:
• Insecure handling of session id’s
- CVE-2016-9164; and
• Path traversal information disclosure - CVE-2016-9165
Latest Siemens Update
This update
provides updated affected version information for SIMATIC S7 products. It also
provides links for new updates for various SIMATIC S7 products. The latest
update of the Siemens
Security Notification also notes that Siemens corrected fix information for
PCS 7 V8.0 and V8.1.
Posts
No comments:
Post a Comment