Wednesday, September 13, 2017

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two advisories. One was a medical device security advisory for products from Philips. The other was a control system advisory for products from mySCADA.

Philips Advisory


This advisory describes two vulnerabilities in the Philips IntelliVue MX40 Patient Worn Monitor. The vulnerabilities are self-reported. There are no FDA Safety Communications about these vulnerabilities. Philips has issued an update that mitigates one of the vulnerabilities; another update is due later this year.

The two reported vulnerabilities are:

• Improper cleanup on thrown exception - CVE-2017-9657; and
• Improper handling of exceptional conditions - CVE-2017-9658

ICS-CERT reports that a relatively low skilled attacker with access to an adjacent network could exploit these vulnerabilities to issue 802.11 Wi-Fi management commands that can impact reporting availability of MX40 device local monitoring to a central monitoring station.

mySCADA Advisory


This advisory describes an unquoted search path or element vulnerability in the mySCADA myPRO HMI/SCADA management platform. The vulnerability was reported by Karn Ganeshen, who publicly disclosed the vulnerability on 7-28-17. mySCADA has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker but authenticated attacker to execute arbitrary code with elevated privileges.


NOTE: Karn is pretty well known for his coordinated disclosure, so this public disclosure is unusual. There are no explanations on either the ICS-CERT or the iPositiveSecurity web site explaining why the early disclosure was made. It would be interesting to know ‘the rest of the story’.

No comments:

 
/* Use this with templates/template-twocol.html */