Today the DHS ICS-CERT published a control system security
advisory for products from Yokogawa and a medical device security advisory for
products from Philips. They also updated a previously published control system
advisory for products from GE. The Yokogawa vulnerability is one of the two
that I briefly
addressed on Saturday.
Yokogawa Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Yokogawa iDefine,
STARDOM, ASTPLANNER, and TriFellows. The vulnerability affects the licensing function
of the products. The vulnerability is being self-reported. Yokogawa has updates
available to mitigate the vulnerability.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow arbitrary code execution, or
the stopping of the license management function.
Philips Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the Philips IntelliVue Information Center iX. An
unidentified user notified Philips of the problem. Philips has identified work
arounds and expects to provide an update in the 3rd quarter, 2018.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to effect a denial of service, the
operating system will become unresponsive due to the network attack, which will
affect the applications ability to meet the intended use.
GE Update
This update
provides additional information on an advisory that was originally published
on June 27th, 2012. The update provides a link to the GE
advisory that was last updated on February 22nd, 2013. A document
linked to in that advisory provides a more detailed description of the
vulnerabilities and mitigation measures. That document was updated this weekend
to correct broken links to the ICS-CERT; interestingly I cannot find any ICS-CERT
links in either GE document.
Posts
No comments:
Post a Comment