Saturday, September 29, 2018

Public ICS Disclosures – Week of 09-22-18

This week we have two vendor disclosures from Yokogawa and Phoenix Contact. The Yokogawa report could show up on the NCCIC-ICS site next week.


The Yokogawa advisory describes four vulnerabilities in their STARDOM controllers. The vulnerabilities were reported by VDLab of Venustech. A new software version mitigates one of the vulnerabilities and Yokogawa has provided generic workarounds for the remaining three. There is no indication that VDLab has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities (no CVE numbers are reported) are:

• Vulnerability of credential management;
• Denial of service vulnerability to remote management function;
• Hardcoded credential vulnerability of maintenance function; and
Memory exhaustion vulnerability by not permitted request

Phoenix Contact

The Phoenix Contact advisory describes an incorrect handling of web request vulnerability in their Phoenix Contact AXL F BK bus coupler. The vulnerability was reported by Anne Borcherding, Steffen Pfrang, David Meier und Christian Haas from Fraunhofer IOSB. Phoenix Contact has provided generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

No comments:

/* Use this with templates/template-twocol.html */