This week we have three vendor disclosures for products from
Eaton (with exploit), BD, and Schneider. We also have two exploits for (apparently)
previously undisclosed vulnerabilities in products from Argus.
Eaton Advisory and Exploit
Eaton published an
advisory for undescribed vulnerabilities in older versions of their Power
Xpert Meter firmware. This advisory is a poster child of the problems with
vulnerability disclosures discussed
earlier this week. No information beyond affected version numbers and
recommendation to update to a new version.
BrianWGray published an exploit for
a SSH private key disclosure vulnerability in the affected Eaton products. He
notes that the affected versions of the product shipped “with a public/private
key pair on Power Xpert Meter hardware that allows passwordless authentication
to any other affected Power Xpert Meter”.
BD Advisory
BD published an unusual
advisory for their entire product line for a Microsoft Windows® task scheduler vulnerability.
No word of exploits against BD products.
Schneider Advisory
Schneider published an
advisory for malware in a USB device shipped with their Conext Combox and Conext Battery Monitor
products. This is a third-party product issue. Schneider notes that the unnamed
malware “should be detected and blocked by all major anti-malware programs”.
The files included on the USB device are not necessary for the installation or
operation of the Schneider products and are available on the Schneider web
site.
Argus Exploits
John Page (aka hyp3rlinx) published two exploits (here and here) for vulnerabilities
in the Argus Surveillance DVR. There are no CVE numbers on the exploit reports
and there is no vulnerability reporting on the Argus web site, so I suspect
that the two vulnerabilities are 0-days.
The two vulnerabilities are:
• Directory traversal; and
• Privilege escalation
Posts
No comments:
Post a Comment