Today the DHS ICS-CERT published a new control system
security advisory for products from Rockwell. They also published an update to
a control system security advisory for products from Delta Electronics.
Rockwell Advisory
This advisory
describes an unquoted search path or element vulnerability in the Rockwell RSLinx
Classic and FactoryTalk Linx Gateway. The vulnerability was reported byGjoko
Krstic of Zero Science Lab. Rockwell has new versions available that mitigate
the vulnerability. There is no indication that Krstic has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to allow an authorized,
but non-privileged local user to execute arbitrary code and allow a threat
actor to escalate user privileges on the affected workstation.
NOTE: The advisory points
to an older Rockwell description of an unquoted search path vulnerability
and how it works.
Delta Update
This update
provides additional information on an advisory that was originally
published on May 17th, 2018. The revised version provides a link
to a new version that mitigates the vulnerability and additional NCCIC
recommendations for generic mitigation measures.
Posts
No comments:
Post a Comment