Wednesday, October 3, 2018

Three Advisories and Three Updates Published


Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Entes, GE and Delta Electronics. They also updated previously published advisories for products from Phillips, WECOM and ABB.

Entes Advisory


This advisory describes two vulnerabilities in the Entes EMG 12, an Ethernet Modbus Gateway. The vulnerability was reported by Can Demirel of Biznet Bilisim. Entes has a new firmware version that mitigates the vulnerabilities. There is no indication that Demirel has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-14826; and
Information exposure in query strings in get request - CVE-2018-14822

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to gain unauthorized access and could allow the ability to change device configuration and settings.

GE Advisory


This advisory describes a heap based buffer overflow in the GE Communicator application. The vulnerability was reported by kimiya, working with iDefense Labs. Newer versions of the application mitigate the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to execute arbitrary code or create a denial-of-service condition.

Delta Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Delta ISPSoft, a PLC program development tool. The vulnerability was reported by Ariele Caltabiano (kimiya) via ZDI. Newer versions of the tool mitigate the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to execute code under the context of the application.

Phillips Update


This update provides additional information on an advisory that was originally published on March 29th, 2018. The update adds the phrase “and/or system information” to the description provided for ‘information exposure’ vulnerabilities.

WECON Update


This update provides additional information on an advisory that was originally published on July 31st, 2018. The updated information includes:

• Two new vulnerabilities added, and
• Added a third reporting security researcher.

I would have normally expected this to be a separate advisory, but since the original advisory was based upon information provided via the Zero Day Initiative, I suspect that there was an issue on that end of the process that is being corrected here.

ABB Update


This update provides additional information on an advisory that was originally published on August 28th, 2018. The update provides new mitigation information.

No comments:

 
/* Use this with templates/template-twocol.html */