Today the DHS ICS-CERT published two control system security
advisories for products from Becton, Dickinson and Company (BD) and Leão
Consultoria e Desenvolvimento de Sistemas LTDA ME (LCDS).
BD Advisory
This advisory
describes a hard-coded password vulnerability in the BD Kiestra PerformA and
KLA Journal Service (laboratory information management systems) applications.
The vulnerability is apparently self-reported. BD has will be providing updates
to the two applications and the Kiestra Database to “reduce the risk [emphasis
added] of exploitation of the hard-coded passwords vulnerability”.
ICS-CERT reported that a relatively low skilled attacker
could remotely exploit this vulnerability to access the BD Kiestra Database,
which could be leveraged to compromise the confidentiality of limited patient
health information and personally identifiable information stored in the BD
Kiestra Database.
The BD
Security Advisory paints a more complicated picture of the vulnerability
situation, but it also provides work arounds to be used pending the updates
that will be provided later this year. It describes three vulnerabilities
instead of one:
• A legacy application (SMB1
protcol);
• Hard-coded password in the two
applications;
• Third-party default password in the Database.
LCDS Advisory
This advisory
describes a path traversal vulnerability in the LCDS LAquis SCADA software. The
vulnerability was reported by Karn Ganeshen via the Zero Day Initiative. LCDS
has produced a new firmware version to mitigate the vulnerability. There is no
indication that Ganeshen has been provided an opportunity to verify the efficacy
of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to allow an unprivileged, malicious attacker
to access files remotely.
Posts
No comments:
Post a Comment