Today the DHS NCCIC-ICS published three control system
security advisories for products from AVEVA, Mitsubishi, and Yokogawa. They
also published two medical device security advisories for products from BD and
Stryker.
AVEVA Advisory
This advisory
describes an insufficiently protected credential vulnerability in the AVEVA
Wonderware System Platform. The vulnerability was reported
by Vladimir Dashchenko from Kaspersky Lab. AVEVA has an update that mitigates
the vulnerability. There is no indication that Daschenko has been provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow
unauthorized access to the credentials for the ArchestrA Network User Account.
NOTE: I briefly
discussed this advisory last Saturday.
Mitsubishi Advisory
This advisory
describes a resource exhaustion vulnerability in the Mitsubishi MELSEC-Q series
PLCs. The vulnerability was reported by Tri Quach of Amazon’s Customer
Fulfillment Technology Security (CFTS) group. Mitsubishi has a new firmware
version that mitigates the vulnerability. There is no indication that Tri has
been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a remote attacker to send
specially crafted packets to the device, causing Ethernet communication to
stop.
Yokogawa Advisory
This advisory
describes an unrestricted upload of files with dangerous type vulnerability in
the Yokogawa License Manager Service. The vulnerability was reported by Kaspersky
Lab. The latest version mitigates the vulnerability. There is no indication
that the researchers have been provided an opportunity to verify the efficacy
of the fix.
NOTE: I briefly
discussed this advisory last Saturday.
BD Advisory
This advisory
describes an improper access control vulnerability in the BD FACSLyric. This
vulnerability was self-reported. BD will directly apply mitigation measures to
the affected systems.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
attacker to gain unauthorized access to administrative level privileges on a
workstation, which could allow arbitrary execution of commands. This
vulnerability does not impact BD FACSLyric flow cytometry systems using the
Windows 7 Operating System.
NOTE: This is not the BD advisory that I briefly
discussed last Saturday.
Stryker Advisory
This advisory
describes a reusing a nonce vulnerability. advisory for the Stryker Secure II
MedSurg Bed, S3 MedSurg Bed, and InTouch ICU Bed products. This is for the Key
Reinstallation Attack – (KRACK) set
of vulnerabilities. This advisory only reports nine of the ten CVE’s for the
KRACK vulnerability. Stryker has software updates to mitigate the vulnerability.
Posts
No comments:
Post a Comment