Today the DHS ICS-CERT published 4 control system security
advisories for products from Rockwell, Advantech, Dahua Technology and
Hikvision. The Rockwell advisory was previously published on the NCCIC Portal
on April 4, 2017.
ICS-CERT also published the latest version of their ICS-CERT
Monitor. Not worth reviewing, but it is out there.
Rockwell Advisory
This advisory
describes a resource exhaustion vulnerability in Rockwell ControlLogic and
CompactLogic controllers. This vulnerability was apparently self-reported.
Rockwell has provided updated versions to mitigate the vulnerability.
ICS-CERT reports that an uncharacterized attacker could
remotely exploit the vulnerability to cause the device that the attacker is
accessing to become unavailable.
Advantech Advisory
This advisory
describes an absolute path traversal vulnerability in the Advantech WebAccess.
The vulnerability was reported by Zhou Yu via ZDI. Advantech has produced a new
version to mitigate the vulnerability. ICS-CERT reports that Yu has verified
the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to traverse the file system and gain
access to files or directories, which could result in the device becoming
unavailable.
Dahua Technology Advisory
This advisory
describes two password vulnerabilities in the Dahua Digital Video Recorders and
IP Cameras. Bashis disclosed these vulnerabilities without coordination with
ICS-CERT (see Brian
Krebs and ThreatPost
articles for more information).
The two reported vulnerabilities are:
• Use of password hash instead of
password for authentication - CVE-2017-7927; and
• Password in configuration file - CVE-2017-7925
ICS-CERT reports that a relatively low skilled attacker
could use publicly available exploits to remotely exploit the vulnerabilities
to allow the attacker to obtain user credentials, including password hashes,
and use these credentials to bypass authentication.
Hikvision Advisory
This advisory
describes two password vulnerabilities in the Hikvision cameras. The vulnerability
was reported by IPcamtalk user “Montecrypto”. Hikvision has published a new
version to mitigate one of the two vulnerabilities. There is no indication that
Montecrypto was provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper authentication - CVE-2017-7921;
and
• Password in configuration file - CVE-2017-7923
In Passing
Please remember that when ICS-CERT publishes their 2017
stats that they will almost certainly include the Dahua and Hikvision vulnerabilities
in their count of control system advisories for the year.
Posts
No comments:
Post a Comment