Friday, August 17, 2018

ICS-CERT Publishes 3 Advisories


Yesterday the DHS ICS-CERT published two control system security advisories for products from Tridium and Emerson and a medical device security advisory for products from Philips. The Tridium advisory was previously published on the HSIN ICS-CERT library on July 10, 2018. For more on this HSIN resource see the final section below.

Tridium Advisory


This advisory describes two vulnerabilities in the Tridium Niagara controller. The vulnerabilities were reported by Johnathan Gains and Leet Cyber Security. Tridium has updates available that mitigate the vulnerability. There is no indication that that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-16744; and
Improper authentications - CVE-2017-16748

ICS-CERT reports that an uncharacterized attacker could remotely exploit these vulnerabilities to crash the device being accessed; a buffer overflow condition may allow remote code execution.

Emerson Advisory


This advisory describes four vulnerabilities in the Emerson DeltaV DCS Workstations. The vulnerabilities were reported by Younes Dragoni of Nozomi Networks, Ori Perez of CyberX. Emerson has a patch available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Uncontrolled search path element - CVE-2018-14797;
• Relative path traversal - CVE-2018-14795;
• Improper privilege management - CVE-2018-14791; and
• Stack-based buffer overflow - CVE-2018-14793

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution, malware injection, or malware to spread to other workstations.

Philips Advisory


This advisory describes two vulnerabilities in the Philips PageWriter Cardiographs. Philips is self-reporting these vulnerabilities to ICS-CERT. Philips has produced generic workarounds and plans to issue updates to mitigate the vulnerabilities in the middle of next year.

The two reported vulnerabilities are:

• Improper input validation - CVE-2018-14799; and
• Use of hard-coded credentials - CVE-2018-14801

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow buffer overflows or allow an attacker to access and modify settings on the device.

HSIN Library


It has been a while since I mentioned the ICS-CERT library on the Homeland Security Information Network. This restricted access, on-line resource provides ICS-CERT a method of sharing information with the user community for vulnerabilities that may affect critical homeland resources. This restricted release is designed to allow owners a chance to implement mitigation measures before the vulnerability becomes public knowledge.

For more information about this program and to request access see this ICS-CERT page.

No comments:

 
/* Use this with templates/template-twocol.html */