This week we have two vendor (ABB and OSIsoft) released
security reports that were not addressed by ICS-CERT, most likely because the
vendor did not report these directly to that organization. We also have an
interesting report on an unusual class of IOT devices
ABB Advisory
ABB published a security
advisory describing an improper access control vulnerability in their
SYS600 product. The vulnerability was reported by Fritz Sands via the Zero Day
Initiative. ABB has provided a work around to mitigate the vulnerability.
An attacker with physical access to the server or with
authenticated network access could exploit the vulnerability to add files and
run arbitrary code and possibly escalate privileges.
OSI Advisory
OSIsoft released a new
version of their PI Web API that addressed (among other things) an
escalation of privilege vulnerability. The release
notes [page for .PDF download] for the new version report the vulnerability
as being fixed and note that it is a critical vulnerability. The vulnerability
is described as:
“Core Services – CRITICAL VULNERABILITY: Escalation of
privileges when Kerberos and Basic Authentication are enabled is mitigated.”
Further information on the vulnerability is supposed to be
included in a dedicated security bulletin which has apparently not yet been published.
IOT Security Issue
For those with a prurient interest in cybersecurity of IOT,
I will provide this link to SEC Consult’s blog
post on the ‘Internet of Dildos’. I nearly stopped reading the post when I
got to: “Moreover, an attacker was able to remotely pleasure individuals
without their consent.” This is, however, a serious report on a large number of
vulnerabilities in a real IOT product.
Posts
No comments:
Post a Comment