This week we have vendor updates of previously issued advisories
from Siemens and an apparently uncoordinated vendor disclosure for products
from SourceForge (an open source product web site).
Siemens Advisory Updates
As part of the swath of 16 advisories and updates issued by
Siemens this week there were three updates that were not covered by NCCIC-ICS
updates. These were for vulnerabilities addressed in ICS-CERT generic alerts;
NCCIC-ICS does not update these alerts for new information from the existing
vendor list on the alert, the links on those alerts already take interested
parties to this latest information.
SSA-168644
v1.8 – Spectre and Meltdown Vulnerabilities in Industrial Products. Updated
solution for RUGGEDCOM RX1400 VPE;
SSA-254686
v1.1 – Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. Added
solution for SIMATIC IPC647D, SIMATIC IPC847D, SIMATIC IPC647C,
SIMATIC IPC847C, SIMATIC IPC627C, SIMATIC IPC677C, SIMATIC
IPC827C,
SIMOTION P320-4S, SIMOTION P320-4E;
SSA-268644
v1.2 – Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products;
and
GPS Tracking System Vulnerabilities
Ihsan Sencan published an exploit for
an SQL injection vulnerability in the SourceForge GPS Fleet/Vehicle Tracking
System Using Open Source Traccar Server.
There is no CVE associated with this exploit and SourceForge lists the software
as “abandoned” so this is probably a 0-day exploit. The product webpage says
that there were 48 downloads this week, but I suspect that most of those were
security researchers following up on Sencan’s exploit release.
Posts
No comments:
Post a Comment