ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Moxa and OSIsoft. I mentioned the OSIsoft vulnerabilities in a blog post last month.

Moxa Advisory

This advisory describes an uncontrolled search path element vulnerability in the Moxa SoftNVR-IA Live Viewer. The vulnerability was reported by Karn Ganeshen. Moxa has developed an update to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to execute code from a malicious DLL on the affected system with the same privileges as the application that loaded the malicious DLL.

OSIsoft Advisory

This advisory describes two vulnerabilities in the OSIsoft PI Integrator. The vulnerabilities are self-reported. OSIsoft developed new versions of the software to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2017-9655; and

• Improper authorization - CVE-2017-9653

 ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to gain privileged access to the system. An attacker may also be able to store a malicious script in the application database.

BTW: Siemens published a new advisory and updated two advisories yesterday (notification on TWITTER® here, here, and here). I had kind of expected ICS-CERT to report on these today. Maybe tomorrow….