Today the DHS ICS-CERT published an industrial control
system advisory for products from Hanwha Techwin. The advisory describes two
vulnerabilities in the Hanwha Techwin Smart Security Manager. The
vulnerabilities were reported by Steven Seeley of Source Incite. Hanwah Techwin
has produced a patch to mitigate the vulnerability. There is no indication that
Seely has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Path traversal - CVE-2017-5168;
and
• Cross-site request forgery - CVE-2017-5169
ICS-CERT only notes that the vulnerabilities are remotely
exploitable and reports that a successful exploit could lead to create an
arbitrary file on the server with attacker controlled data as well as an
attacker gaining root shell access.
Posts
No comments:
Post a Comment