Saturday, October 27, 2018

Public ICS Disclosures – Week of 10-20-18

This week we have two vendor notifications for products from Schneider Electric and Eaton.

Schneider Advisory

This advisory describes a DLL hijacking vulnerability in the Schneider Electric Software Update (SESU) which is installed with a wide variety of Schneider products. The vulnerability was reported by Haojun Hou (ADLab of Venustech). Schneider has an update available to mitigate the vulnerability. There is no indication that Haojun has been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory

This advisory mentions an un-explicated vulnerability in the Eaton Network Card-MS for UPS. This vulnerability is apparently being self-reported. Eaton has a newer version of the firmware that mitigates the vulnerability.

NOTE: This is about the most worthless security notification that I have ever seen. Not only does it not describe the vulnerability (or provide a CVE number, or describe the associated risk), but the “link” to cybersecurity whitepaper which presumably provides potentially useful generic workaround information for power distribution systems is not actually a link; it is just the blue-underlined word “here”. Oh, and by the way, how many people know the firmware version number of the network communication card is in their UPS?

No comments:

/* Use this with templates/template-twocol.html */