Thursday, July 20, 2017

ICS-CERT Publishes an Advisory and an Update

Today the DHS ICS-CERT published a control system security advisory and an update to a previously published advisory, both for products from Schneider Electric.

Schneider Advisory

This update describes multiple vulnerabilities in the Schneider PowerSCADA Anywhere and Citect Anywhere products. The vulnerabilities are apparently being self-reported by Schneider. Schneider has developed new versions that mitigate the vulnerabilities.

The reported vulnerabilities are:

• Cross-site request forgery - CVE-2017-7969;
• Information exposure - CVE-2017-7970;
• Improper validation of certificate expiration - CVE-2017-7971; and
• Improper neutralization of expression/command delimiter - CVE-2017-7972

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to perform actions on behalf of a legitimate user, perform network reconnaissance, or gain access to resources beyond those intended with normal operation of the product.

Schneider Update

This update provides new information on an advisory that was originally published on April 13th, 2017. The update provides information on a firmware update and a software update that are needed to mitigate the vulnerability.

No comments:

/* Use this with templates/template-twocol.html */