Friday, November 2, 2018

Four Advisories and One Update Published


Yesterday the DHS NCCIC-ICS published four new control system security advisories for products from Fr. Sauter, Circontrol, Schneider Electric, AVEVA. They also updated a previously published advisory for products from Rockwell.

Sauter Advisory


This advisory describes an improper restriction of XML external entity reference in the Sauter CASE Suite application. The vulnerability was reported by Gjoko Krstic of Applied Risk. Sauter has an update that mitigates the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low skilled attacker could remotely exploit the vulnerability to allow an attacker to remotely retrieve unauthorized files from the system.

Circontrol Advisory


This advisory describes two vulnerabilities in the Circontrol CirCarLife electric vehicle charging station. The vulnerabilities were reported by Ankit Anubhav of NewSky Security, M. Can Kurnaz Senior Consultant at KPMG Netherlands, Alim Solmaz Security Consultant at Atos, Michael John Chief Information Security Officer at WePower Network, and Gyorgy Miru Security Researcher at Verint. Circontrol has a new version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2018-17918; and
Insufficiently protected credentials - CVE-2018-17922

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to retrieve credentials stored in clear text to bypass authentication, and see and access critical information.

Schneider Advisory


This advisory describes a DLL hijacking vulnerability in the Schneider Software Update (SESU) installed with a wide variety of Schneider products. The vulnerability was reported by Haojun Hou of ADLab of Venustech. Schneider has an update that mitigates the vulnerability. There is no indication hat Haojun has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code on the target system.

NOTE: I had previously discussed this vulnerability last weekend.

AVEVA Advisory


This advisory describes two vulnerabilities in the AVEVA InduSoft Web Studio and InTouch Edge HMI. These vulnerabilities were reported by Tenable. AVEVA has new versions that mitigate the vulnerabilities. There is no indication that Tenable was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-17916; and
• Empty password in configuration file - CVE-2018-17914

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an unauthenticated user to remotely execute code.

Rockwell Update


This update provides additional information on an advisory that was originally published on October 26th, 2017. The update provides new mitigation information based upon new limitations on the impact of the vulnerability.

NOTE: This is the KRACK vulnerability advisory for the Rockwell Stratix 5100 Wireless Access Point/Workgroup Bridge.


No comments:

 
/* Use this with templates/template-twocol.html */