Thursday, November 29, 2018

One Advisory Published – 11-29-18

Today the DHS NCCIC-ICS published a control system security advisory for products from INVT Electric.

The advisory describes two vulnerabilities in the INVT VT-Designer. The vulnerabilities were reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative. No mitigation measures are currently available for these vulnerabilities.

The two reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2018-18987; and
Heap-based buffer overflow - CVE-2018-18983

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities cause the program to crash and may allow remote code execution.

NOTE: It looks like another Chinese ICS company is not quite responsive to NCCIC-ICS vulnerability coordination efforts.

No comments:

/* Use this with templates/template-twocol.html */