Yesterday the DHS NCCIC-ICS published a control system advisory
for products from Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS).
The advisory describes six vulnerabilities in the LAquis SCADA software. The
vulnerabilities were reported by Mat Powell, rgod of 9SG Security Team, Esteban
Ruiz (mr_me) of Source Incite, b0nd @garage4hackers, and Ashraf Alharbi
(Ha5ha5hin) via the Zero Day Initiative. LCDS has a new version that mitigates
the vulnerability. There is no indication that any of the researchers have been
provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities are:
• Untrusted pointer dereference - CVE-2018-17893;
• Out-of-bounds read - CVE-2018-17895;
• Integer overflow to buffer
overflow - CVE-2018-17897;
• Path traversal - CVE-2018-17899;
• Out-of-bounds write - CVE-2018-17901
and
• Stack-based buffer overflow - CVE-2018-17911
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to execute arbitrary code, crash
the system, or write controlled content to the target system.
Posts
No comments:
Post a Comment