Thursday, January 19, 2017

ICS-CERT Publishes Schneider Advisory

Today the DHS ICS-CERT published a control system security advisory for a product from Schneider Electric. This advisory describes a cross-site scripting vulnerability in the Schneider homeLYnk Controller. The vulnerability was reported by Mohammed Shameem ("@_M_Shahnawaz). Schneider has produced a firmware upgrade to mitigate the vulnerability. There is no indication that Shameem has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause execution of java script code.

NOTE: ICS-CERT has corrected their problem with naming these advisories. All advisories published since the first of the year are now named with a recognizable vendor/product name. It did not require a new formatting change.

No comments:

/* Use this with templates/template-twocol.html */