Today the DHS ICS-CERT published a new control system
security advisory for products from ABB. They also provided an update of their
previously issued alert for the Meltdown and Spectre vulnerabilities.
ABB Advisory
This update
describes an information exposure vulnerability in the ABB netCADOPS Web
Application. The vulnerability was reported by İsmail Erkek. ABB has provided product
updates to mitigate the vulnerability. There is no indication that Erkek was provided
an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker could
remotely exploit this vulnerability to allow critical information about the
database to be exposed. The ABB security
advisory clarifies that the attacker would have to have access to the
control network hosting the DMS to exploit the vulnerability.
Meltdown Alert Update
This update provides
additional information on an alert that was originally
published on January 11th, 2018 and updated on January
16th, 2018, January
17th, 2018 and on January
30th, 2018. The update adds a link to a new vendor notification
from Honeywell.
Previously identified vendor pages for ABB
and Schneider
have been updated since the last ICS-CERT update. NOTE: The updated ABB page is
the one I
mentioned on Saturday.
Posts
No comments:
Post a Comment