Thursday, December 15, 2016

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from OmniMetrix and Fatek Automation.

OmniMetrix Advisory

This advisory describes two vulnerabilities in the OmniMetrix OmniView web application. The vulnerabilities were reported by Bill Voltmer of Elation Technologies LLC. OmniMetrix has produced a new version that mitigates the vulnerability. There is no indication that Voltmer was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2016-5786; and
• Weak password requirements - CVE-2016-5801

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to control the operation of backup generators connected to the compromised account.

Fatek Automation Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fatek Automation PLC WinProladder application. The vulnerability was reported by an unidentified researcher through the Zero Day Initiative. ICS-CERT reports that Fatek Automation will not produce a new version to mitigate this vulnerability. ZDI, on the other hand, reports that Fatek Automation will be producing a new version. There is no mention of the vulnerability on the Fatek Automation web site.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to perform a number of malicious actions including arbitrary code execution.

No comments:

/* Use this with templates/template-twocol.html */