Thursday, September 14, 2017

ICS-CERT Updates an Advisory and Publishes Another

Today the DHS ICS-CERT updated a previously published advisory for a product from Siemens. They also published a new advisory for a product from LOYTEC.

Siemens Update

This update provides additional information on an advisory that was originally published on originally published on May 9th, 2017 and updated on June 15, 2017, on July 25th, 2017, and then again on August 18th, 2017. The update provides new affected version information and mitigation links for:

• SCALANCE M-800,S615: All versions prior to V04.03,

LOYTEC Advisory

The advisory describes four vulnerabilities in the LOYTEC LVIS-3ME HMI touch panel. The vulnerabilities were reported by Davy Douhine of RandoriSec. LOYTEC has released a firmware update to mitigate the vulnerabilities. There is no indication that Douhine was provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Relative path traversal - CVE-2017-13996;
• Insufficient entropy - CVE-2017-13992;
• Improper neutralization of input during web page generation - CVE-2017-13994; and
• Insufficiently protected credentials - CVE-2017-13998

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause information exposure or allow arbitrary code execution.

No comments:

/* Use this with templates/template-twocol.html */