Yesterday the DHS ICS-CERT published a control system
advisory for multiple vulnerabilities in the Honeywell XL Web II controller
application (also sold as Falcon web controller by Centraline). The vulnerabilities
were reported by Maxim Rupp. Honey well has produced a new version to mitigate
the vulnerability. There is no indication that Rupp has been provided an
opportunity to verify the efficacy of the fix.
The reported vulnerabilities are:
• Plaintext storage of passwords - CVE-2017-5139;
• Insufficiently protected
credentials - CVE-2017-5140;
• Session fixation - CVE-2017-5141;
• Improper privilege management - CVE-2017-5142;
and
• Path traversal - CVE-2017-5143
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to allow the attacker an entry point
into the network where it is located.
NOTE: For some reason this advisory was published in the old
format. While not a serious issue, the lack of internal controls on the format
issue may be an indicator of some management issues.
Posts
No comments:
Post a Comment