Thursday, October 18, 2018

Omron Advisory Published

Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Omron. The advisory describes four vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by Mat Powell, Ariele Caltabiano (kimiya) of 9SG Security Team, and b0nd @garage4hackers via the Zero Day Initiative. Omron has a new version that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2018-17905;
• Out-of-bounds read - CVE-2018-17907;
• Use after free - CVE-2018-17909; and
Incorrect type version or cast - CVE-2018-17913

NCCIC-ICS reports that an uncharacterized hacker with uncharacterized access could exploit these vulnerabilities to execute code under the context of the application, corrupt objects, and force the application to read a value outside of an array.

No comments:

/* Use this with templates/template-twocol.html */