Today the DHS ICS-CERT published three control system
security advisories for products from SpiderControl (2) and Automated Logic
Corporation.
SCADA Web Server Advisory
This advisory
describes a path traversal vulnerability in the SpiderControl SCADA Web Server.
The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative
(ZDI). SpiderControl has produced a new version that mitigates the
vulnerability. There is no indication that Ganeshen has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to gain read access to system files
through directory traversal.
SCADA MicroBrowser Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the SpiderControl
SCADA MicroBrowser. The vulnerability was reported by Karn Ganeshen via ZDI. SpiderControl
has produced a new version that mitigates the vulnerability. There is no
indication that Ganeshen has been provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to gain access to the system,
manipulate system files, and potentially render the system unavailable.
Automated Logic Advisory
This advisory
describes three vulnerabilities in the ALC WebCTRL, i-Vu, and SiteScan Web. The
vulnerabilities were reported by Gjoko Krstic from Zero Science Lab. ALC has
produced patches that mitigate the vulnerabilities. There is no indication that
Krstic has been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Unquoted search path or element -
CVE-2017-9644;
• Path traversal - CVE-2017-9640;
and
• Unrestricted upload of file with dangerous type - CVE-2017-9650
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerabilities to elevate his or her privileges to
execute arbitrary code on the system.
Posts
No comments:
Post a Comment