Today the DHS NCCIC-ICS proved that they were not currently furloughed
(though still not being paid for their service) by publishing three control
system security advisories for products from Hetronic, Yokogawa, and Schneider
Electric.
Hetronic Advisory
This advisory
describes a authentication bypass by capture-replay vulnerability in the
Hetronic Nova-M family of remote control transmitters and receivers. The
vulnerability was reported by Jonathan Andersson, Philippe Z Lin, Akira Urano,
Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler via the Zero
Day Initiative. Hetronic has new firmware versions that mitigates the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow
unauthorized users to view commands, replay commands, control the device, or
stop the device from running.
Yokogawa Advisory
This advisory
describes a resource management error vulnerability in the Yokogawa Vnet/IP
Open Communication Driver. The vulnerability was self-reported. Yokogawa has
new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to allow an attacker to cause Vnet/IP
network communications to controlled devices to become unavailable.
NOTE: I briefly
discussed this vulnerability almost two weeks ago.
Schneider Advisory
This advisory
describes an improper input validation vulnerability in the Schneider Pro-face
GP-Pro EX devices. The vulnerability was reported by Yu Quiang of Venustech’s
ADLab. Schneider has a new version that mitigates the vulnerability. There is
no indication that Yu has been provided an opportunity to verify the efficacy
of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to modify code to
launch an arbitrary executable upon launch of the program.
NOTE: I briefly
discussed this vulnerability almost two weeks ago.
Commentary
I am really glad to see that NCCIC-ICS is publishing advisories
during the Federal Funding Fiasco. The people doing the writing, editing,
reviewing and posting of these advisories are currently working without pay
though they may (probably will) be paid once the FFF is fixed, but that does
not make their day-to-day life outside of the office any easier. Please
remember them in your thoughts and prayers, and most importantly in your
letters to your congresscritters.
Posts
No comments:
Post a Comment