Saturday, November 17, 2018

Public ICS Disclosures – Week of 11-10-18

This week we have vendor updates of previously issued advisories from Siemens and an apparently uncoordinated vendor disclosure for products from SourceForge (an open source product web site).

Siemens Advisory Updates

As part of the swath of 16 advisories and updates issued by Siemens this week there were three updates that were not covered by NCCIC-ICS updates. These were for vulnerabilities addressed in ICS-CERT generic alerts; NCCIC-ICS does not update these alerts for new information from the existing vendor list on the alert, the links on those alerts already take interested parties to this latest information.

SSA-168644 v1.8 – Spectre and Meltdown Vulnerabilities in Industrial Products. Updated solution for RUGGEDCOM RX1400 VPE;
SSA-254686 v1.1 – Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. Added solution for SIMATIC IPC647D, SIMATIC IPC847D, SIMATIC IPC647C,
SSA-268644 v1.2 – Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products; and

GPS Tracking System Vulnerabilities

Ihsan Sencan published an exploit for an SQL injection vulnerability in the SourceForge GPS Fleet/Vehicle Tracking System Using Open Source Traccar Server. There is no CVE associated with this exploit and SourceForge lists the software as “abandoned” so this is probably a 0-day exploit. The product webpage says that there were 48 downloads this week, but I suspect that most of those were security researchers following up on Sencan’s exploit release.

No comments:

/* Use this with templates/template-twocol.html */