Today the DHS ICS-CERT published two control system security
advisories for products from Schneider and Moxa.
Schneider Advisory
This advisory
describes twin uncontrolled resource consumption vulnerabilities in the
Schneider Electric Magelis human-machine interface (HMI) products. The
vulnerabilities were reported in a coordinated disclosure by Eran Goldstein, in
collaboration with Check Point Software Technologies and CRITIFENCE and publicly reported
earlier this week. Schneider plans on having a new release available next
spring, but is providing work arounds listed in this advisory.
While ICS-CERT calls both vulnerabilities ‘uncontrolled
resource consumption vulnerabilities. CRITIFENCE uses more descriptive names:
• Improper implementation of HTTP
get request – CVI-2016-8367; and
• Improper implementation of HTTP chunked
Transfer-Encoding request - CVI-2016-8374.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to cause a denial of service for the
affected devices. The Schneider security
notification notes that the vulnerabilities can only be exploited when the
Web Gate Server is activated; the function is disabled by default.
BTW: These are the Schneider vulnerabilities that I retweeted
about earlier this week.
Moxa Advisory
This advisory
describes two vulnerabilities in the Moxa OnCell Security Software. The vulnerabilities
were reported by Maxim Rupp (who at this point should be listed as a member of
the Moxa cybersecurity team; just saying). Moxa has produced a new version (for
two of the ten affected systems) that mitigates the vulnerability. There is no
indication that Rupp was provided an opportunity to verify the efficacy of the
fix.
The vulnerabilities include:
• Improper authentication - CVE-2016-8362;
and
• Permissions, privileges and
access control - CVE-2016-8363
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to download files or execute arbitrary
command by web console.
Posts
No comments:
Post a Comment