This week we have vendor notifications from Bosch, AVEVA,
Drager, Yokogawa and BD. We also have an exploit of a previously disclosed set
of vulnerabilities for products from NUUO.
Bosch Advisory
Bosch has published an
advisory for two vulnerabilities in their DIVAR 400 & 600 digital
recorders. The vulnerabilities were reported by Maxim Rupp. Bosch has provided
generic workarounds to mitigate the vulnerability. There is no indication that
Rupp has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper access control; and
• Unprotected credentials
AVEVA Advisory
AVEVA has published an advisory for three vulnerabilities in
their Wonderware System Platform. The vulnerabilities were reported by Vladimir
Dashchennko from Kaspersky Lab. AVEVA has a new update that mitigates the
vulnerabilities. There is no indication that Daschennko has been provided an opportunity
to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Insufficiently protected credentials;
• Execution with unnecessary privilege;
and
• Missing authorization
These vulnerabilities were coordinated through ‘ICS-CERT’ so
I expect that we will see an advisory from NCCIC-ICS next week (though they may
have a backlog to work through now that the Federal Funding Fiasco is at least temporarily
over).
Drager Advisory
Drager published an
advisory that is not technically for a control system vulnerability. They
are advising customers of a number of reported fraudulent emails from apparent
Drager email addresses that have been part of schemes to have companies make
payments to non-Drager accounts.
Yokogawa Advisory
Yokogawa has published an
advisory for an access control vulnerability in their License Manager
Service. The vulnerability was reported by Kaspersky Lab. Yokogawa has patches
that mitigate the vulnerability. There is no indication that Kaspersky Lab has
been provided an opportunity to verify the efficacy of the fix.
BD Advisory
BD has published an
advisory (actually an update for an
advisory that was
issued last summer) for a Microsoft Windows vulnerability in the task
scheduler that affects a
number of BD products. BD will patch the software during the next patch
cycle.
NUOO Exploit
Pedro Ribeiro published a set of exploits
for the NUOO CMS software management platform. The vulnerabilities were
reported by NCCIC-ICS in an advisory published
on October 12th, 2018 and updated on November
20th, 2018. Ribeiro was the one who originally reported the NUOO
vulnerabilities to NCCIC-ICS.
In addition to publishing four Metasploit modules as part of
his exploit report, Ribeiro reports that one of the vulnerabilities reported
through NCCIC-ICS (Use of hard-coded credentials - CVE-2018-17894) has not
actually been fixed as was reported in the NCCIC-ICS advisory.
Reading the exploit report from Ribeiro provides an
interesting look into the coordinated disclosure process where the vendor is
less than cooperative. Pedro has all sorts of nice things to say about the
folks he worked with at ‘ICS-CERT’ during the two-year process but suffice to
say he is disappointed with NUOO.
Posts
No comments:
Post a Comment