Tuesday, August 22, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from SpiderControl (2) and Automated Logic Corporation.

SCADA Web Server Advisory 


This advisory describes a path traversal vulnerability in the SpiderControl SCADA Web Server. The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative (ZDI). SpiderControl has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain read access to system files through directory traversal.

SCADA MicroBrowser Advisory


This advisory describes a stack-based buffer overflow vulnerability in the SpiderControl SCADA MicroBrowser. The vulnerability was reported by Karn Ganeshen via ZDI. SpiderControl has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain access to the system, manipulate system files, and potentially render the system unavailable.

Automated Logic Advisory


This advisory describes three vulnerabilities in the ALC WebCTRL, i-Vu, and SiteScan Web. The vulnerabilities were reported by Gjoko Krstic from Zero Science Lab. ALC has produced patches that mitigate the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Unquoted search path or element - CVE-2017-9644;
• Path traversal - CVE-2017-9640; and
• Unrestricted upload of file with dangerous type - CVE-2017-9650


ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to elevate his or her privileges to execute arbitrary code on the system.

No comments:

 
/* Use this with templates/template-twocol.html */