This week we have two vendor disclosures from Yokogawa and
Phoenix Contact. The Yokogawa report could show up on the NCCIC-ICS site next
week.
Yokogawa
The Yokogawa advisory
describes four vulnerabilities in their STARDOM controllers. The
vulnerabilities were reported by VDLab of Venustech. A new software version
mitigates one of the vulnerabilities and Yokogawa has provided generic workarounds
for the remaining three. There is no indication that VDLab has been provided an
opportunity to verify the efficacy of the fix.
The four reported vulnerabilities (no CVE numbers are
reported) are:
• Vulnerability of credential management;
• Denial of service vulnerability
to remote management function;
• Hardcoded credential
vulnerability of maintenance function; and
• Memory exhaustion vulnerability by not permitted
request
Phoenix Contact
The Phoenix Contact advisory
describes an incorrect handling of web request vulnerability in their Phoenix
Contact AXL F BK bus coupler. The vulnerability was reported by Anne Borcherding,
Steffen Pfrang, David Meier und Christian Haas from Fraunhofer IOSB. Phoenix Contact
has provided generic workarounds to mitigate the vulnerability. There is no
indication that the researchers have been provided an opportunity to verify the
efficacy of the fix.
Posts
No comments:
Post a Comment