Today the DHS ICS-CERT published five control system
security advisories for products from AVEVA (2), WECON, Johnson Controls and
Davolink.
Wonderware Advisory
This advisory
describes an improper restriction in operations within the bounds of a memory
buffer vulnerability in the AVEVA Wonderware License Server; the vulnerability
is in the 3rd party Flexera
FlexNet Publisher software. The vulnerability was reported to AVEVA by an
anonymous researcher. AVEVA has an update that mitigates the vulnerability.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to effect remote code execution with
administrative privileges.
NOTE: This vulnerability was also
reported in the Rockwell Factory Talk Activation Manager earlier this year.
There is an interesting blog
post from 2016 about this vulnerability over at Security Mumblings.
InTouch Advisory
This advisory
describes a cross-site scripting vulnerability in the AVEVA InTouch Access
Anywhere product. The vulnerability was reported by Google’s Security Team.
AVEVA has an update that mitigates the vulnerability. The AVEVA security
advisory indicates that the researchers have verified the efficacy of the
fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to obtain sensitive information
and/or execute Javascript or HTML code.
WECON Advisory
This advisory
describes two buffer overflow vulnerabilities in the WECON LeviStudioU. The
vulnerabilities were reported by NSFOCUS security team, Ghirmay Desta and Mat
Powell via the Zero Day Initiative.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-10602;
and
• Heap-based buffer overflow - CVE-2018-10606
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to execute remote code.
NOTE: Reading between the lines of the advisory, it looks
like ICS-CERT did not get much cooperation from WECON on these vulnerabilities.
Johnson Controls Advisory
This advisory
describes an information exposure through an error message vulnerability in the
Johnson Controls Metasys and BCPro products. The vulnerability was reported by Dan
Regalado of Zingbox. Newer versions mitigate the vulnerability. There is no
indication that Regalado was provided an opportunity to verify the efficacy of
the fix.
ICS-CERT reports that a relatively low-skilled attacker on an
adjacent network could exploit the vulnerability to obtain technical
information about the Metasys or BCPro server, allowing an attacker to target a
system for attack.
Davolink Advisory
This advisory
describes a use of password hash with insufficient computational effort vulnerability
in the Davolink DVW-3200N network switch. The vulnerability was reported by Ankit
Anubhav of NewSky Security. There is new firmware for the device that mitigates
the vulnerability. There is no indication that Anubhav was provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to obtain the password to the device.
Posts
No comments:
Post a Comment