Today the DHS ICS-CERT published a control system security
advisory for products from Martem. They also published a medical device
security advisory for products from Becton, Dickinson and Company (BD).
Martem Advisory
This advisory
describes three vulnerabilities in the Martem TELEM-GW6/GWM products. The
vulnerabilities were reported by Bernhards Blumbergs and Arturs Danilevics of
CERT.LV, Latvia. Martem has described work arounds to mitigate the vulnerabilities.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2018-10603;
• Uncontrolled resource consumption
- CVE-2018-10607; and
• Cross-site scripting - CVE-2018-10609
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to allow execution of unauthorized
industrial process control commands, denial of service, or client-side code
execution.
BD Advisory
This advisory
describes three separate SQL related vulnerabilities in the BD BD Kiestra and
InoqulA systems. These vulnerabilities are being self-reported. BD intends to
have mitigations in place by July. In the mean-time BD has described
workarounds to mitigate the vulnerabilities.
The following applications in the affected products fail to
warn users of unsafe actions:
• Database (DB) Manager;
• ReadA Overview; and
• PerformA
ICS-CERT reports that an uncharacterized attacker with
access to an adjacent network could exploit the vulnerabilities which may lead
to loss or corruption of data.
NOTE: These vulnerabilities have not been reported on the
FDA Medical Device Safety
Communications site.
Posts
No comments:
Post a Comment