Tuesday, April 10, 2018

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Omron and ATI Systems.

Omron Advisory

This advisory describes three vulnerabilities in the Omron CX-One. The vulnerabilities were reported by rgod via the Zero Day Initiative. Omron has released new versions that mitigate the vulnerabilities. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2018-8834;
• Stack-based buffer overflow - CVE-2018-7514; and
Type confusion - CVE-2018-7530

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow remote code execution (which sounds like ‘remote access’ to me).

ATI Systems Advisory

This advisory describes two vulnerabilities in the ATI Emergency Mass Notification Systems. The vulnerabilities were reported by Balint Seeber of Bastille. ATI will be making a patch available to mitigate the vulnerability.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-8862; and
• Missing encryption of sensitive data - CVE-2018-8864

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to trigger false alarms.

NOTE: While Seeber notified ICS-CERT of this vulnerability in a coordinated disclosure, he also apparently notified a number of reporters (not me, sigh-grin) because articles about this vulnerability have appeared today at Wired, Gizmodo, and SecurityWeek; they all have more (but not all) details about the vulnerability and its discovery than you would expect to see in an ICS-CERT advisory. Interestingly, none of these articles mentions this ICS-CERT advisory. Oh, and the Bastille web site has a ‘white paper’ that will supposedly be available on the ‘SirenJack’ vulnerability. I have requested my copy and am waiting….

No comments:

/* Use this with templates/template-twocol.html */