Yesterday the DHS ICS-CERT published two advisories. One was
a medical device security advisory for products from Philips. The other was a
control system advisory for products from mySCADA.
Philips Advisory
This advisory
describes two vulnerabilities in the Philips IntelliVue MX40 Patient Worn
Monitor. The vulnerabilities are self-reported. There are no FDA
Safety Communications about these vulnerabilities. Philips has issued an
update that mitigates one of the vulnerabilities; another update is due later
this year.
The two reported vulnerabilities are:
• Improper cleanup on thrown
exception - CVE-2017-9657; and
• Improper handling of exceptional conditions - CVE-2017-9658
ICS-CERT reports that a relatively low skilled attacker with
access to an adjacent network could exploit these vulnerabilities to issue
802.11 Wi-Fi management commands that can impact reporting availability of MX40
device local monitoring to a central monitoring station.
mySCADA Advisory
This advisory
describes an unquoted search path or element vulnerability in the mySCADA myPRO
HMI/SCADA management platform. The vulnerability was reported by Karn Ganeshen,
who publicly
disclosed the vulnerability on 7-28-17. mySCADA has produced a new version
that mitigates the vulnerability. There is no indication that Ganeshen was
provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker but
authenticated attacker to execute arbitrary code with elevated privileges.
NOTE: Karn is pretty well known for his coordinated
disclosure, so this public disclosure is unusual. There are no explanations on
either the ICS-CERT or the iPositiveSecurity web site explaining why the early
disclosure was made. It would be interesting to know ‘the rest of the story’.
Posts
No comments:
Post a Comment