Saturday, September 1, 2018

Public ICS Disclosures – Week of 08-25-18

This week we have three vendor disclosures for products from Eaton (with exploit), BD, and Schneider. We also have two exploits for (apparently) previously undisclosed vulnerabilities in products from Argus.

Eaton Advisory and Exploit

Eaton published an advisory for undescribed vulnerabilities in older versions of their Power Xpert Meter firmware. This advisory is a poster child of the problems with vulnerability disclosures discussed earlier this week. No information beyond affected version numbers and recommendation to update to a new version.

BrianWGray published an exploit for a SSH private key disclosure vulnerability in the affected Eaton products. He notes that the affected versions of the product shipped “with a public/private key pair on Power Xpert Meter hardware that allows passwordless authentication to any other affected Power Xpert Meter”.

BD Advisory

BD published an unusual advisory for their entire product line for a Microsoft Windows® task scheduler vulnerability. No word of exploits against BD products.

Schneider Advisory

Schneider published an advisory for malware in a USB device shipped with their  Conext Combox and Conext Battery Monitor products. This is a third-party product issue. Schneider notes that the unnamed malware “should be detected and blocked by all major anti-malware programs”. The files included on the USB device are not necessary for the installation or operation of the Schneider products and are available on the Schneider web site.

Argus Exploits

John Page (aka hyp3rlinx) published two exploits (here and here) for vulnerabilities in the Argus Surveillance DVR. There are no CVE numbers on the exploit reports and there is no vulnerability reporting on the Argus web site, so I suspect that the two vulnerabilities are 0-days.

The two vulnerabilities are:

• Directory traversal; and
Privilege escalation

No comments:

/* Use this with templates/template-twocol.html */