Saturday, February 10, 2018

Public ICS Disclosures – Week of 02-04-18

This week we have two vendor (ABB and OSIsoft) released security reports that were not addressed by ICS-CERT, most likely because the vendor did not report these directly to that organization. We also have an interesting report on an unusual class of IOT devices

ABB Advisory

ABB published a security advisory describing an improper access control vulnerability in their SYS600 product. The vulnerability was reported by Fritz Sands via the Zero Day Initiative. ABB has provided a work around to mitigate the vulnerability.

An attacker with physical access to the server or with authenticated network access could exploit the vulnerability to add files and run arbitrary code and possibly escalate privileges.

OSI Advisory

OSIsoft released a new version of their PI Web API that addressed (among other things) an escalation of privilege vulnerability. The release notes [page for .PDF download] for the new version report the vulnerability as being fixed and note that it is a critical vulnerability. The vulnerability is described as:

“Core Services – CRITICAL VULNERABILITY: Escalation of privileges when Kerberos and Basic Authentication are enabled is mitigated.”

Further information on the vulnerability is supposed to be included in a dedicated security bulletin which has apparently not yet been published.

IOT Security Issue

For those with a prurient interest in cybersecurity of IOT, I will provide this link to SEC Consult’s blog post on the ‘Internet of Dildos’. I nearly stopped reading the post when I got to: “Moreover, an attacker was able to remotely pleasure individuals without their consent.” This is, however, a serious report on a large number of vulnerabilities in a real IOT product.

No comments:

/* Use this with templates/template-twocol.html */