Earlier this week the DHS NCCIC-ICS published two control
system security advisories for products from SpiderControl and Omron.
SpiderControl Advisory
This advisory
describes a cross-site scripting vulnerability in the SpiderControl SCADA
WebServer. The vulnerability was reported by Ismail Bulbul. SpiderControl has a
new version that mitigates the vulnerability. There is no indication that
Bulbul has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to execute JavaScript on the victim’s
browser.
Omron Advisory
This advisory
describes two vulnerabilities in the Omron CX-One application. The
vulnerability was reported by Esteban Ruiz (mr_me) of Source Incite via the Zero
Day Initiative. Omron has an update that mitigates the vulnerability. There are
no indications that Ruiz has been provided an opportunity to verify the
efficacy of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-18993;
and
• Use after free - CVE-2018-18989
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to execute code
under the privileges of the application.
ODD NOTE: This post was actually written on Tuesday night
and I was sure that it had been posted, but it is surely not on the blog. I
guess I am getting senile in my middle age.
Posts
No comments:
Post a Comment