Yesterday the DHS ICS-CERT published two control system
security advisories for products from Schneider and AutomationDirect.
Schneider Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Schneider InduSoft
Web Studio and InTouch Machine Edition. The vulnerabilities were reported by Aaron
Portnoy, formerly of Exodus Intelligence. Schneider has produced new versions
that mitigate the vulnerability. There is no indication that Portnoy has been
provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could use a publicly available exploit to remotely exploit this vulnerability to
remotely execute code with high privileges. The Schneider security
bulletin notes that the vulnerability exists during tag subscription.
AutomationDirect Advisory
This advisory
describes and uncontrolled search path element vulnerability in a number of
AutomationDirect products. The vulnerability was reported by Mark Cross of RIoT
Solutions. Newer software versions are available from AutomationDirect that
mitigate the problem. There is no indication that Cross has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that an uncharacterized attacker with
uncharacterized access to execute arbitrary code on the system.
Posts
No comments:
Post a Comment