This week we have two vendor notifications for products from
Schneider Electric and Eaton.
Schneider Advisory
This advisory
describes a DLL hijacking vulnerability in the Schneider Electric Software
Update (SESU) which is installed with a wide variety of Schneider products. The
vulnerability was reported by Haojun Hou (ADLab of Venustech). Schneider has an
update available to mitigate the vulnerability. There is no indication that
Haojun has been provided an opportunity to verify the efficacy of the fix.
Eaton Advisory
This advisory
mentions an un-explicated vulnerability in the Eaton Network Card-MS for UPS.
This vulnerability is apparently being self-reported. Eaton has a newer version
of the firmware that mitigates the vulnerability.
NOTE: This is about the most worthless security notification
that I have ever seen. Not only does it not describe the vulnerability (or
provide a CVE number, or describe the associated risk), but the “link” to
cybersecurity whitepaper which presumably provides potentially useful generic
workaround information for power distribution systems is not actually a link;
it is just the blue-underlined word “here”. Oh, and by the way, how many people
know the firmware version number of the network communication card is in their
UPS?
Posts
No comments:
Post a Comment