Today the DHS
ICS-CERT published three control system security advisories for products from
Advantech, CyberVision and Schneider.
Advantech Advisory
This advisory
describes a client-side authentication vulnerability in the Advantech B+B
SmartWorx MESR901. The vulnerability was originally reported by Maxim Rupp.
ICS-CERT reports that Advantech is unable to provide mitigations for this
product and is working to replace the product with a new model.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to bypass authentication and access
restricted pages.
CyberVision Advisory
This advisory
describes a code injection vulnerability in the CyberVision Kaa IoT Platform.
The vulnerability was reported Jacob Baines from Tenable Network Security.
ICS-CERT reports that CyberVision has been unresponsive to multiple contact
requests and has produced no mitigations for this vulnerability.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to allow for the creation of files
with custom content, movement of files, and execution of arbitrary OS commands.
Schneider Advisory
This advisory
describes an Improper XML Parser Configuration in the Schneider Wonderware
Historian Client. The vulnerability was reported by Andrey Zhukov from USSC.
Schneider has an update that mitigates the vulnerability. ICS-CERT reports that
Zhukov has verified the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker (no
discussion of access requirements) to cause denial of service of trend display
or to disclose arbitrary files from the local file system to a malicious web
site. The Wonderware Security Bulletin reports that a social engineering attack
would be required to get an authorized user to load a malicious XML settings
file.
Commentary
At this late date it is very disconcerting to see two
ICS-CERT advisories reporting that vendors are not fixing reported
vulnerabilities. I am disappointed in not seeing ICS-CERT report why Advantech
is choosing to not fix their SmartWorx MESR901. I suspect that this is an
end-of-life issue, but the product is still being actively
advertised on the Advantech web site.
More disturbing is the failure of CyberVision to even
respond to ICS-CERT about the reported vulnerability. The Kaa project is
advertised as an open-source IOT platform. We have enough problems with IOT
security issues without having people acknowledge and try to fix specifically
identified security issues with their product.
Posts
No comments:
Post a Comment