Wednesday, October 31, 2018

One Advisory and Two Updates Published


Yesterday the DHS NCCIC-ICS published one new control system security advisory and updates for two previously published advisories.

PEPPERL+FUCHS Advisory


This advisory describes and improper privilege management vulnerability in the PEPPERL+FUCHS CT50-Ex. This vulnerability is being self-reported. PEPPERL+FUCHS has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a malicious third-party application to gain elevated privileges and obtain access to sensitive information.

NOTE: I discussed this vulnerability (and the associated Honeywell advisory) two weeks ago.

Rockwell Update


This update provides new information on an advisory that was originally reported on March 1st, 2016. The new information includes:

• Report of a publicly available exploit;
• Added affected products and associated mitigation measures;
• Added a second reporting researcher {Venkatesh Sivakumar (@PranavVenkatS)}; and
Added additional mitigation measures.

NOTE: Rockwell has not updated their security advisory to reflect these changes.

Vecna Update


This update provides new information on an advisory that was originally published on April 24th, 2018. The new information includes:

• Report of remote exploitability;
• Added two new vulnerabilities;
• Expanded exploit risk;
• Clarified affected versions; and
• Added three new vulnerabilities

No comments:

 
/* Use this with templates/template-twocol.html */