Yesterday the DHS ICS-CERT published two control system
security advisories for products from Siemens and GE.
Siemens Advisory
This advisory
describes an authentication bypass vulnerability in the Siemens 7KT PAC1200
data manager. The vulnerability was reported by Maxim Rupp. Siemens has
produced new firmware that mitigates the vulnerability. There are not
indications that Rupp has been provided an opportunity to verify the efficacy
of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to bypass authentication mechanisms
and perform administrative functions. The Siemens security
bulletin reports that the attacker must have network access to the device
to exploit the vulnerability.
GE Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the GE CIMPLICITY
software. The vulnerability was reported by David Atch of CyberX. GE has released a new version that mitigates
the vulnerability. There is no indication that Atch has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause the device that the attacker
is accessing to crash; a buffer overflow condition may allow arbitrary remote
code execution.
Posts
No comments:
Post a Comment