Today the DHS NCCIC-ICS published two control system
security advisories for products from Schneider Electric and Teledyne DALSA.
They also published an update for a previously published advisory for products
from NUOO.
Schneider Advisory
This advisory
describes an insufficient verification of data authenticity vulnerability in
the Schneider Modicon M221 PLC. The vulnerability was reported by Eran
Goldstein of CRITIFENCE. Schneider has provided workarounds to mitigate the
vulnerability. There is no indication that Goldstein has been provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause a change of IPv4
configuration (IP address, mask, and gateway) when remotely connected to the
device.
Teledyne Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Teledyne Sherlock
machine vision software interface. The vulnerability was reported by Robert
Hawes. Teledyne reports that newer versions mitigate the vulnerability. There
is no indication that Hawes has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to crash the device
being accessed; a buffer overflow condition may allow remote code execution.
NUOO Update
This update
provides additional information on an advisory that was originally
reported on October 11th, 2018. The update adds additional
affected version information and three new vulnerabilities:
• Path traversal - CVE-2018-17934;
• Unrestricted upload of file of
dangerous type - CVE-2018-17936; and
• SQL injection - CVE-2018-18982
Posts
No comments:
Post a Comment