This week we have a vendor disclosure (mentioned here in
passing last week) from Schneider, a vendor update from BD, and two researcher
coordinated disclosures for products from Ocularis and Foscam.
Schneider Advisory
Schneider reported
four vulnerabilities in their U.motion Builder product. The vulnerabilities
were reported by Wei Gao from Ixia. Schneider has an update to mitigate the vulnerability.
There is no indication that Wei was provided an opportunity to verify the
efficacy of the fix.
The four reported vulnerabilities are:
• Print format vulnerability - CVE-2018-7784;
• Remote command injection - CVE-2018-7785;
• Cross-site scripting - CVE-2018-7786;
and
• Improper input validation - CVE-2018-7787
BD Update
BD provided a brief update to their KRACK
advisory. They advised users of versions of Pyxis products that are
end-of-life, end-of support, or are running unsupported, operating systems to
contact their service representatives for assistance.
Ocularis Vulnerability
Talos reported
a denial of service vulnerability in the Ocularis Recorder video management
system which is touted
as a Physical Security Information Management (PSIM) platform. The report
includes proof-of-concept exploit code. Talos reported this vulnerability to
the vendor on March 5th, 2018.
Foscam Vulnerabilities
The VDOO Vulnerability Research Team reported on the Full
Disclosure mailing list three vulnerabilities in the Foscam IP Camera models
and provided a link to their detailed
report. The report includes proof-of-concept exploit code.
The three reported vulnerabilities are:
• Arbitrary file deletion
vulnerability - CVE-2018-6830;
• Stack-based buffer overflow - CVE-2018-6832;
and
• Shell command injection vulnerability - CVE-2018-6831;
Posts
No comments:
Post a Comment