Yesterday the DHS NCCIC-ICS published three control system
security advisories for products from Entes, GE and Delta Electronics. They
also updated previously published advisories for products from Phillips, WECOM
and ABB.
Entes Advisory
This advisory
describes two vulnerabilities in the Entes EMG 12, an Ethernet Modbus Gateway.
The vulnerability was reported by Can Demirel of Biznet Bilisim. Entes has a new
firmware version that mitigates the vulnerabilities. There is no indication
that Demirel has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper authentication - CVE-2018-14826;
and
• Information exposure in query strings in get
request - CVE-2018-14822
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to gain unauthorized access and could
allow the ability to change device configuration and settings.
GE Advisory
This advisory
describes a heap based buffer overflow in the GE Communicator application. The vulnerability
was reported by kimiya, working with iDefense Labs. Newer versions of the
application mitigate the vulnerability. There is no indication that kimiya has
been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to execute arbitrary code or create a
denial-of-service condition.
Delta Advisory
This advisory describes a stack-based buffer overflow
vulnerability in the Delta ISPSoft, a PLC program development tool. The
vulnerability was reported by Ariele Caltabiano (kimiya) via ZDI. Newer
versions of the tool mitigate the vulnerability. There is no indication that kimiya
has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to execute code
under the context of the application.
Phillips Update
This update
provides additional information on an advisory that was originally
published on March 29th, 2018. The update adds the phrase “and/or
system information” to the description provided for ‘information exposure’
vulnerabilities.
WECON Update
This update
provides additional information on an advisory that was originally
published on July 31st, 2018. The updated information includes:
• Two new vulnerabilities added,
and
• Added a third reporting security
researcher.
I would have normally expected this to be a separate
advisory, but since the original advisory was based upon information provided
via the Zero Day Initiative, I suspect that there was an issue on that end of
the process that is being corrected here.
ABB Update
This update
provides additional information on an advisory that was originally
published on August 28th, 2018. The update provides new
mitigation information.
Posts
No comments:
Post a Comment