Today the DHS ICS-CERT published a medical device security advisory
for products from Phillips and a control system security advisory for products
from Schneider electric.
Phillips Advisory
This advisory
describes two vulnerabilities in the Phillips Alice 6 System sleep diagnostic
system. The vulnerabilities are apparently self-reported. Phillips plans on producing
a new product version in December that will mitigate the vulnerability.
The two reported vulnerabilities are:
• Improper authentication - CVE-2018-5451;
and
• Missing encryption of sensitive data - CVE-2018-7498
ICS-CERT reports that a relatively low-skilled attacker
using publicly available exploits could remotely exploit the vulnerabilities to
gain visibility to usernames/passwords and personal data. Insufficient
encryption and cryptographic integrity checks can lead to altered, corrupted,
or disclosed sensitive data. Disclosure of personal data can occur by replacing
a trusted node with a malicious node.
NOTE: These vulnerabilities were not reported on the FDA
Medical Device Safety Communications page.
Schneider Advisory
This advisory
describes three vulnerabilities in the Schneider Modicon products. The
vulnerabilities were separately reported by Nikita Maximov, Alexey Stennikov,
and Kirill Chernyshov of Positive Technologies as well as Meng Leizi and Zhang
Daoquan. Schneider has described generic work arounds to mitigate the
vulnerabilities.
The three reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-7240;
• Use of hard-coded credentials - CVE-2018-7241;
and
• Use of broken or risky cryptographic
algorithm - CVE-2018-7242
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow a remote unauthorized
attacker access to the file transfer service on the device, which could result
in arbitrary code execution or malicious firmware installation.
NOTE: These are the Modicon FTP vulnerabilities that I reported on Saturday.
Posts
No comments:
Post a Comment