Thursday, November 10, 2016

ICS-CERT Publishes One Advisory and Updates Another

Today the DHS ICS-CERT published a new control system security advisory for a product from CA Technologies. Earlier this week I missed the fact that they also updated a previously published (and much updated) advisory for multiple products from Siemens.

CA Technologies Advisory

This advisory describes a directory traversal vulnerability in the CA Technologies Unified Infrastructure Management application. The vulnerability was reported by Andrea Micalizzi (rgod), working with Zero Day Initiative. CA Technologies has produced an update to mitigate the vulnerability. There is no indication that Andrea has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to create or overwrite critical files that are used to execute code, such as programs or libraries.

The CA Technologies Security Notice (not referenced in the ICS-CERT Advisory) includes two additional vulnerabilities:

• Insecure handling of session id’s - CVE-2016-9164; and
• Path traversal information disclosure - CVE-2016-9165

Latest Siemens Update

This update provides updated affected version information for SIMATIC S7 products. It also provides links for new updates for various SIMATIC S7 products. The latest update of the Siemens Security Notification also notes that Siemens corrected fix information for PCS 7 V8.0 and V8.1.

No comments:

/* Use this with templates/template-twocol.html */