Today the DHS ICS-CERT published two control system security
advisories for products from Belden and Eaton.
Belden Advisory
This advisory
describes a path traversal vulnerability in the Belden Hirschmann GECKO. The
vulnerability was reported by Davy Douhine of RandoriSec. Belden produced a new
version to mitigate the vulnerability. There is no indication that Douhine was
provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a highly skilled attacker could
remotely exploit this vulnerability to access a copy of the configuration file
of an affected device without authenticating, exposing sensitive information.
The Belden
Security Bulletin notes that only administrators that are using the configuration
download feature are affected.
Eaton Advisory
This advisory
describes path traversal vulnerability in legacy Eaton ePDUs. The vulnerability
was reported by Maxim Rupp. The affected products are no longer supported;
Eaton suggests using defense in depth mitigation measures if the devices are
not replaced.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to access configuration files.
NOTE: For some reason this vulnerability was presented in
last year’s format. I’ve already gotten so used to the new format that this
reversion feels odd. Oh well….
Posts
No comments:
Post a Comment