Today the DHS ICS-CERT published two control system security
advisories for products from NetComm and Crestron.
NetComm Advisory
This advisory
describes four vulnerabilities in the NetComm 4G LTE Light Industrial M2M
Router. The vulnerabilities were reported by Aditya K. Sood. NetComm has new
firmware that mitigates the vulnerabilities. There is no indication that Sood
has been provided an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• Information exposure - CVE-2018-14782;
• Cross-site request forgery - CVE-2018-14783;
• Cross-site scripting - CVE-2018-14784;
and
• Information exposure through directory listing - CVE-2018-14785
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow for the exposure of
sensitive information.
Crestron Advisory
This advisory
describes four vulnerabilities in the Crestron TSW-X60 and MC3 products. The
vulnerabilities were independently reported by Jackson Thuraisamy (via Security
Compass) and Ricky “HeadlessZeke” Lawshae (via the Zero Day Initiative).
Crestron has firmware versions available that mitigate the vulnerabilities.
There is no indication that either researcher has been offered an opportunity
to verify efficacy of the fix.
The four reported vulnerabilities are:
• OS command injection (2) - CVE-2018-11228
and CVE-2018-11229);
• Improper access control - CVE-2018-10630;
and
• Insufficiently protected
credentials - CVE-2018-13341
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow remote code execution with
escalated system privileges.
NOTE: Is it just me or does it seem odd that the same
vulnerabilities are found in a touch-screen device and a control system
processor controller?
Posts
No comments:
Post a Comment