Today the DHS NCCIC-ICS published a control system security
advisory for products from INVT Electric.
The advisory
describes two vulnerabilities in the INVT VT-Designer. The vulnerabilities were
reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative. No
mitigation measures are currently available for these vulnerabilities.
The two reported vulnerabilities are:
• Deserialization of untrusted data
- CVE-2018-18987; and
• Heap-based buffer overflow - CVE-2018-18983
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities cause the program to crash and may
allow remote code execution.
NOTE: It looks like another Chinese ICS company is not quite
responsive to NCCIC-ICS vulnerability coordination efforts.
Posts
No comments:
Post a Comment