Tuesday, February 6, 2018

ICS-CERT Publishes an Advisory and an Update

Today the DHS ICS-CERT published a medical device security advisory for products from Vyaire Medical. They also updated a control system security advisory for products from Siemens.

Vyaire Advisory

This advisory describes an uncontrolled search path element vulnerability in the Vyaire CareFusion Upgrade Utility. The vulnerability was reported by Mark Cross (@xerubus). Vyaire no longer supports the affected version and recommends that owners upgrade to the newer version of the utility. ICS-CERT notes that “This updated Upgrade Utility will not install on Windows XP and will require updating the underlying system to Windows 7 or later.” There is no indication that Cross was provided an opportunity to verify that the newer version is not affected.

ICS-CERT reports that an uncharacterized attacker with local access could exploit the vulnerability to insert a malicious DLL on the target system and run arbitrary code.

Siemens Update

This update provides additional information on an advisory that was originally published on January 25th, 2018. The update removes a broken link that was included in the original Siemens security notice.

No comments:

/* Use this with templates/template-twocol.html */