Tuesday, August 21, 2018

ICS-CERT Publishes 2 Advisories and an Update

Today the DHS ICS-CERT published a control system security advisory for products from Yokogawa and a medical device security advisory for products from Philips. They also updated a previously published control system advisory for products from GE. The Yokogawa vulnerability is one of the two that I briefly addressed on Saturday.

Yokogawa Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Yokogawa iDefine, STARDOM, ASTPLANNER, and TriFellows. The vulnerability affects the licensing function of the products. The vulnerability is being self-reported. Yokogawa has updates available to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow arbitrary code execution, or the stopping of the license management function.

Philips Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Philips  IntelliVue Information Center iX. An unidentified user notified Philips of the problem. Philips has identified work arounds and expects to provide an update in the 3rd quarter, 2018.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to effect a denial of service, the operating system will become unresponsive due to the network attack, which will affect the applications ability to meet the intended use.

GE Update

This update provides additional information on an advisory that was originally published on June 27th, 2012. The update provides a link to the GE advisory that was last updated on February 22nd, 2013. A document linked to in that advisory provides a more detailed description of the vulnerabilities and mitigation measures. That document was updated this weekend to correct broken links to the ICS-CERT; interestingly I cannot find any ICS-CERT links in either GE document.

No comments:

/* Use this with templates/template-twocol.html */