Today the DHS ICS-CERT published four control system
security advisories for products from Moxa, Echelon, and AVEVA(2).
Moxa Advisory
This advisory
describes a resource exhaustion vulnerability in the Moxa NPort serial network
interface. The vulnerability was reported by Mikael Vingaard. The latest
firmware mitigates the vulnerability. There is no indication that Vingaard has
been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to send TCP SYN packages, causing a resource
exhaustion condition that would cause the device to become unavailable.
Echelon Advisory
This advisory
describes four vulnerabilities in the Ecelon Smart Server and i.LON products.
The vulnerabilities were reported by Daniel Crowley and IBM’s X-Force Red team.
Echelon has a new version that mitigates three of the vulnerabilities and
provides a workaround for the fourth. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The four reported vulnerabilities are:
• Information exposure - CVE-2018-10627;
• Authentication bypass using an
alternate path or channel - CVE-2018-8859;
• Unprotected credentials - CVE-2018-8851;
and
• Clear text transmission of critical information - CVE-2018-885
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow for remote code execution
on the device.
In Touch Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Aveva InTouch HMI.
This vulnerability was reported by George Lashenko of CyberX. Aveva has updates
available that mitigate the vulnerabilities. There is no indication that
Lashenko has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker could
remotely exploit this vulnerability to remotely execute code with the same
privileges as those of the InTouch View process which could lead to a
compromise of the InTouch HMI.
InduSoft Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Aveva InduSoft Web
Studio and InTouch Machine Edition HMIs. This vulnerability was reported by Tenable
Research. Aveva has updates available that mitigate the vulnerability. There is
no indication that the researchers were provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow remote code execution.
Posts
No comments:
Post a Comment