Today the DHS ICS-CERT published two control system security
advisories for products from OmniMetrix and Fatek Automation.
OmniMetrix Advisory
This advisory describes
two vulnerabilities in the OmniMetrix OmniView web application. The
vulnerabilities were reported by Bill Voltmer of Elation Technologies LLC.
OmniMetrix has produced a new version that mitigates the vulnerability. There
is no indication that Voltmer was provided an opportunity to verify the
efficacy of the fix.
The reported vulnerabilities are:
• Cleartext transmission of
sensitive information - CVE-2016-5786; and
• Weak password requirements - CVE-2016-5801
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to control the operation of backup
generators connected to the compromised account.
Fatek Automation Advisory
This advisory describes
a stack-based buffer overflow vulnerability in the Fatek Automation PLC
WinProladder application. The vulnerability was reported by an unidentified
researcher through the Zero Day Initiative. ICS-CERT reports that Fatek
Automation will not produce a new version to mitigate this vulnerability. ZDI,
on the other hand, reports that
Fatek Automation will be producing a new version. There is no mention of the
vulnerability on the Fatek Automation web site.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to perform a number of malicious actions
including arbitrary code execution.
Posts
No comments:
Post a Comment