Today the DHS ICS-CERT published two control system security
advisories for products from Omron and ATI Systems.
Omron Advisory
This advisory
describes three vulnerabilities in the Omron CX-One. The vulnerabilities were
reported by rgod via the Zero Day Initiative. Omron has released new versions
that mitigate the vulnerabilities. There is no indication that rgod was
provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2018-8834;
• Stack-based buffer overflow - CVE-2018-7514;
and
• Type confusion - CVE-2018-7530
ICS-CERT reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to allow remote code
execution (which sounds like ‘remote access’ to me).
ATI Systems Advisory
This advisory
describes two vulnerabilities in the ATI Emergency Mass Notification Systems.
The vulnerabilities were reported by Balint Seeber of Bastille. ATI will be
making a patch available to mitigate the vulnerability.
The two reported vulnerabilities are:
• Improper authentication - CVE-2018-8862;
and
• Missing encryption of sensitive
data - CVE-2018-8864
ICS-CERT reports that an uncharacterized attacker could
remotely exploit the vulnerabilities to trigger false alarms.
NOTE: While Seeber notified ICS-CERT of this vulnerability
in a coordinated disclosure, he also apparently notified a number of reporters
(not me, sigh-grin) because articles about this vulnerability have appeared
today at Wired,
Gizmodo,
and SecurityWeek;
they all have more (but not all) details about the vulnerability and its
discovery than you would expect to see in an ICS-CERT advisory. Interestingly,
none of these articles mentions this ICS-CERT advisory. Oh, and the Bastille web site has a ‘white paper’ that will
supposedly be available on the ‘SirenJack’ vulnerability. I have requested my
copy and am waiting….
Posts
No comments:
Post a Comment