Saturday, June 9, 2018

Public ICS Disclosures – Week of 06-02-18

This week we have a vendor disclosure (mentioned here in passing last week) from Schneider, a vendor update from BD, and two researcher coordinated disclosures for products from Ocularis and Foscam.

Schneider Advisory

Schneider reported four vulnerabilities in their U.motion Builder product. The vulnerabilities were reported by Wei Gao from Ixia. Schneider has an update to mitigate the vulnerability. There is no indication that Wei was provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Print format vulnerability - CVE-2018-7784;
• Remote command injection - CVE-2018-7785;
• Cross-site scripting - CVE-2018-7786; and
Improper input validation - CVE-2018-7787

BD Update

BD provided a brief update to their KRACK advisory. They advised users of versions of Pyxis products that are end-of-life, end-of support, or are running unsupported, operating systems to contact their service representatives for assistance.

Ocularis Vulnerability

Talos reported a denial of service vulnerability in the Ocularis Recorder video management system which is touted as a Physical Security Information Management (PSIM) platform. The report includes proof-of-concept exploit code. Talos reported this vulnerability to the vendor on March 5th, 2018.

Foscam Vulnerabilities

The VDOO Vulnerability Research Team reported on the Full Disclosure mailing list three vulnerabilities in the Foscam IP Camera models and provided a link to their detailed report. The report includes proof-of-concept exploit code.

The three reported vulnerabilities are:

• Arbitrary file deletion vulnerability - CVE-2018-6830;
• Stack-based buffer overflow - CVE-2018-6832; and
Shell command injection vulnerability - CVE-2018-6831;

No comments:

/* Use this with templates/template-twocol.html */