Yesterday the DHS NCCIC-ICS published three control system
security advisories for products from Delta Industrial Automation and NUUO (2).
They also updated a previously published control system security advisory for products
from Yokogawa medical device security advisories for products from Medtronic,
BD and Phillips.
Delta Advisory
This advisory
describes two vulnerabilities in the Delta Industrial Automation TPEditor. The
vulnerabilities were reported by Ariele Caltabiano (kimiya) of 9SG Security
Team and Mat Powel. Delta has a new version that mitigates the vulnerability.
There is no indication that the researchers were provided an opportunity to
verify the efficacy of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-17929;
and
• Out-of-bounds write - CVE-2018-17927
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to crash the
accessed device, resulting in a buffer overflow condition that may allow remote
code execution.
CMS Advisory
This advisory
describes four vulnerabilities in the NUUO CMS software management platform.
The vulnerabilities were reported by Pedro Ribeiro. NUUO has a firmware update
that mitigates the vulnerabilities. There is no indication that Ribeiro has
been provided an opportunity to verify the efficacy of the fix.
The four reported vulnerabilities are:
• Use of insufficiently random values
- CVE-2018-17888;
• Use of obsolete function - CVE-2018-17890;
• Incorrect permission assignment
for critical resource - CVE-2018-17892; and
• Use of hard-coded credentials - CVE-2018-17894
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to result in arbitrary remote code
execution.
NVRmini2 Advisory
This advisory
describes two vulnerabilities in the NUUO NVRmini2, NVRsolo network video
recorders. The vulnerabilities were reported by Jacob Baines of Tenable. NUUO
has a firmware update that mitigates the vulnerabilities. There is no
indication that Baines has been provided an opportunity to verify the efficacy
of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-1149;
and
• Leftover debug code - CVE-2018-1150
NCCIC-ICS reports that a relatively low-skilled attacker
using publicly available exploit code could remotely exploit the vulnerabilities
to achieve remote code execution and user account modification.
Yokogawa Update
This update
provides additional information on an advisory that was originally
reported on May 31st, 2018. The new information includes:
• Addition of four new
vulnerabilities;
• Revision of exploit consequences;
• Addition of new products
affected; and
• Addition of mitigation
information for newly identified products.
NOTE: All of this new information was reported in a separate
Yokogawa advisory that I discussed here
last month. That new advisory was not referenced in this update.
Medtronic Update
This update
provides additional information on an advisory that was originally
published on February 27th, 2018 and updated on June
27th, 2018. The new information includes:
• Addition of a new affected
product;
• Addition of statement on possible
remote access exploitation;
• Addition of a third
vulnerability;
• Addition of report of new
mitigation measure implemented by Medtronic
BD Update
This update
provides additional information on an advisory that was originally
published on May 22nd, 2018. The new information includes a report
of implementation of the promised mitigation measures.
Phillips Update
This update
provides additional information on an advisory that was originally
published on August 21st, 2018 and updated on August
30th, 2018. The new information includes the announcement of
future mitigation measures to be undertaken by Phillips.
Posts
No comments:
Post a Comment