This week we have two public disclosures from vendors. The
first is an interesting update of information from ABB and the second is a
fresh self-disclosure from OSIsoft.
ABB Update
ABB published their security advisory for their VSN300 Wi-Fi
Logger Card; these were earlier
reported by ICS-CERT. There was no link to the ABB advisory in the ICS-CERT
advisory because it was published two days later. The importance of the ABB
advisory is that it includes exploit code for the two reported vulnerabilities;
an unusual move for a vendor.
The publication of the exploit code needs to be taken into
account in the risk analysis done by owners in their decision as to whether or
not they will be updating the Card firmware.
It will be interesting to see if ICS-CERT updates their
advisory.
Thanks to Joel Langill for pointing out
the publication of this advisory.
OSIsoft Advisory
OSIsoft announced
this week the publication of security
updates for their PI Integrator For Business Analytics 2016, PI Integrator
for Microsoft Azure 2016, and PI Integrator for SAP HANA 2016 products with new
versions of all three being made available.
The new versions correct two self-identified
vulnerabilities:
• Improper Neutralization of Input
During Web Page Generation; and
• Improper Authorization
OSIsoft reports that: “An unauthorized user could gain
privileged access to the PI Integrator application and views of PI System data.
A miscreant could also store malicious script in the application database and
subsequently execute it on the targeted user's machine.”
Posts
No comments:
Post a Comment