Yesterday the DHS NCCIC-ICS published a control system
security advisory for products from Omron. The advisory describes four
vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported
by Mat Powell, Ariele Caltabiano (kimiya) of 9SG Security Team, and b0nd
@garage4hackers via the Zero Day Initiative. Omron has a new version that
mitigates the vulnerabilities. There is no indication that any of the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The four reported vulnerabilities are:
• Improper restriction of
operations within the bounds of a memory buffer - CVE-2018-17905;
• Out-of-bounds read - CVE-2018-17907;
• Use after free - CVE-2018-17909;
and
• Incorrect type version or cast - CVE-2018-17913
NCCIC-ICS reports that an uncharacterized hacker with
uncharacterized access could exploit these vulnerabilities to execute code
under the context of the application, corrupt objects, and force the
application to read a value outside of an array.
Posts
No comments:
Post a Comment