Saturday, December 8, 2018

Public ICS Disclosures – Week of 12-01-18

This week we have vendor notifications for products from OSIsoft and Schneider Electric and a researcher report of vulnerabilieis in products from Pilz. We also have two exploit publications for products from Rockwell Automation (one may be a 0-day).

OSIsoft Vulnerabilities

In their Release Notes for the latest version of PIProcessbook OSIsoft reports that there are three vulnerabilities being corrected by this release. Those vulnerabilities are related to an included older version of Microsoft’s VBA 6.5. A separate security advisory is being (was?) released to provide further details on these ‘high impact’ vulnerabilities. If it has been released, then my limited (non-customer) access to the OSIsoft site does not provide access to the advisory. The Release Notes do credit the Australian Energy Market Operator (AEMO) with reporting the vulnerabilities.

Schneider Advisory

This advisory describes three vulnerabilities in the Eurotherm by Schneider Electric GUIcon product. The vulnerabilities were reported by mdm and rgod (9SG Security Team). Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fixes.

The three reported vulnerabilities are:

• Type confusion (2) - CVE-2018-7813 and CVE-2018-7815; and
Stack-based buffer overflow - CVE-2018-7814

Pilz Advisory

Applied Risk has published an advisory for a clear-text storage of sensitive information vulnerability in the Pilz Pilz PNOZmulti Configurator, a safety system tool. This is a coordinated disclosure. Pilz has a new version that mitigates the vulnerability.

Rockwell Exploits

Luca.Chiou published an exploit for an incorrect access control authentication bypass vulnerability in the Rockwell Allen-Bradley PowerMonitor 1000. A CVE has been reserved for this vulnerability (CVE-2018-19616, no further information available) which may indicate that Rockwell has been notified of this vulnerability.

Luca.Chiou published an exploit for a cross-site scripting vulnerability in the Rockwell Allen-Bradley PowerMonitor 1000. No CVE is provided in the exploit documentation. This may indicate that this is a 0-day vulnerability.

1 comment:

Bryan Owen said...

Hi PJ, clarification on OSIsoft Vulnerabilities section of this post. The release notes describe both SP1 and SP2 fixes because this is a re-release with minor fixes. The vulnerabilities are fixed as of SP1 and were reported to ICS-CERT in ICSA-17-192-05. Sorry for the internet echo. -Bryan

/* Use this with templates/template-twocol.html */