Wednesday, October 17, 2018

Advisory for LCDS Products

Yesterday the DHS NCCIC-ICS published a control system advisory for products from Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS). The advisory describes six vulnerabilities in the LAquis SCADA software. The vulnerabilities were reported by Mat Powell, rgod of 9SG Security Team, Esteban Ruiz (mr_me) of Source Incite, b0nd @garage4hackers, and Ashraf Alharbi (Ha5ha5hin) via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2018-17893;
• Out-of-bounds read - CVE-2018-17895;
• Integer overflow to buffer overflow - CVE-2018-17897;
• Path traversal - CVE-2018-17899;
• Out-of-bounds write - CVE-2018-17901 and
Stack-based buffer overflow - CVE-2018-17911

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code, crash the system, or write controlled content to the target system.

No comments:

/* Use this with templates/template-twocol.html */