Today the DHS ICS-CERT published a control system security
advisory and an update to a previously published advisory, both for products
from Schneider Electric.
Schneider Advisory
This update
describes multiple vulnerabilities in the Schneider PowerSCADA Anywhere and
Citect Anywhere products. The vulnerabilities are apparently being
self-reported by Schneider. Schneider has developed new versions that mitigate
the vulnerabilities.
The reported vulnerabilities are:
• Cross-site request forgery - CVE-2017-7969;
• Information exposure - CVE-2017-7970;
• Improper validation of
certificate expiration - CVE-2017-7971; and
• Improper neutralization of expression/command
delimiter - CVE-2017-7972
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerabilities to perform actions on behalf of a
legitimate user, perform network reconnaissance, or gain access to resources
beyond those intended with normal operation of the product.
Schneider Update
This update provides
new information on an advisory that was originally
published on April 13th, 2017. The update provides information
on a firmware update and a software update that are needed to mitigate the
vulnerability.
Posts
No comments:
Post a Comment