Tuesday, February 20, 2018

ICS-CERT Publishes ABB Advisory and Updates Meltdown Alert

Today the DHS ICS-CERT published a new control system security advisory for products from ABB. They also provided an update of their previously issued alert for the Meltdown and Spectre vulnerabilities.

ABB Advisory

This update describes an information exposure vulnerability in the ABB netCADOPS Web Application. The vulnerability was reported by ─░smail Erkek. ABB has provided product updates to mitigate the vulnerability. There is no indication that Erkek was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow critical information about the database to be exposed. The ABB security advisory clarifies that the attacker would have to have access to the control network hosting the DMS to exploit the vulnerability.

Meltdown Alert Update

This update provides additional information on an alert that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018 and on January 30th, 2018. The update adds a link to a new vendor notification from Honeywell. Previously identified vendor pages for ABB and Schneider have been updated since the last ICS-CERT update. NOTE: The updated ABB page is the one I mentioned on Saturday.

No comments:

/* Use this with templates/template-twocol.html */