Thursday, November 17, 2016

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Moxa and Vanderbilt Industries.

Moxa Advisory

This advisory describes multiple vulnerabilities in the Moxa SoftCMS Webserver Application. The vulnerabilities were reported by Zhou Yu (through the Zero Day Initiative) and Gu Ziqiang from Huawei Weiran Labs. Moxa has produced an update to mitigate the vulnerability. ICS-CERT reports that both researchers have validated the efficacy of the fix.

The reported vulnerabilities are:

• Improper input validation - CVE-2016-9332;
• Double free - CVE-2016-8360; and
• SQL injection - CVE-2016-9333

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary commands on the target system, as well as gain access to administrative functions of the application.

Vanderbilt Industries Advisory

This advisory describes an insufficiently protected credential vulnerability in the Siemens-branded IP cameras from Vanderbilt Industries. Vanderbilt bought the security product line from Siemens in 2015. It appears that Siemens produced updates for the cameras that mitigate the vulnerability.

ICS-CERT reports that a relatively unskilled attacker with network access to the web server could remotely exploit this vulnerability to allow the attacker to obtain administrative credentials.

It is interesting that Siemens published a Security Notice for this vulnerability and publicized that notice on TWITTER®. BTW: I can find no mention of this vulnerability on the Vanderbilt Industries web site.

No comments:

/* Use this with templates/template-twocol.html */