Yesterday the DHS ICS-CERT published a control system security
advisory for products from Philips. They also published updates for previous
published advisory; one for control system products from Martem and one for
medical device products from Philips.
Philips Advisory
This advisory
describes 9 vulnerabilities in the Philips e-Alert Unit. The vulnerability is
self-reported. Phillips has a version available that mitigates some of the
vulnerabilities. A new version dealing with the remainder will be published by
the end of the year.
The nine reported vulnerabilities are:
• Improper input validation - CVE-2018-8850;
• Improper neutralization of input
during web page generation - CVE-2018-8846;
• Information exposure - CVE-2018-14803;
• Incorrect default permission - CVE-2018-8848;
• Cleartext transmission of
sensitive information - CVE-2018-8842;
• Cross-site request forgery - CVE-2018-8844;
• Session fixation - CVE-2018-8852;
• Uncontrolled resource consumption
- CVE-2018-8854; and
• Use of hard-coded credentials - CVE-2018-8856
ICS-CERT reports that a relatively low-skilled attacker could
remotely exploit some of the vulnerabilities to allow attackers to provide
unexpected input into the application, execute arbitrary code, display unit
information, or potentially cause e-Alert to crash. The other vulnerabilities
could only be exploited from the same subnet.
Martem Update
This update
provides new information on an advisory that was previously
published on May 22nd, 2018 and updated on May 24th,
2018. The new information includes:
• An additional vulnerability (incorrect
default permissions);
• An additional risk consequence (full
control over RTU);
• Updated affected version
information; and
• Mitigation information for new vulnerability
Philips Update
This update
provides new information on an advisory that was originally
published on August 21st, 2018. The new information removes the ‘remotely
exploitable’ language and notes that the “vulnerability is exploitable from
within the same local device subnet”.
Posts
No comments:
Post a Comment