Today the DHS NCCIC-ICS published three control system
security advisories for products from ControlByWeb, ABB and Omron.
ControlByWeb Advisory
This advisory
describes two vulnerabilities in the ControlByWeb X-320M web-enabled weather
station. The vulnerabilities were reported
by John Elder and Tom Westenberg of Applied Risk. ControlByWeb has a firmware
update that mitigates the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The two reported vulnerabilities are:
• Improper authentication - CVE-2018-18881;
and
• Cross-site scripting - CVE-2018-18882
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow arbitrary code execution
and could cause the device being accessed to require a physical factory reset
to restore the device to an operational state.
ABB Advisory
This advisory
describes an improper input validation vulnerability in the ABB CP400 Panel Builder
TextEditor. The vulnerability was reported by Ivan Sanchez of NullCode. ABB has
a new version that mitigates the vulnerability. There is no indication that
Sanchez has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker with
uncharacterized access could exploit the vulnerability to allow an attacker to
execute arbitrary code and cause a denial-of-service condition within the Text
Editor application. The ABB
security advisory reports that a social engineering attack would be
required to get an operator to load a specially crafted file.
NOTE: I briefly
discussed this vulnerability back in early December.
Omron Advisory
This advisory
describes five vulnerabilities in the Omron CX-Supervisor. The vulnerabilities
were reported by Esteban Ruiz (mr_me) of Source Incite via the Zero Day Initiative.
Omron has a new version that mitigates the vulnerabilities. There is no
indication that Ruiz has been provided an opportunity to verify the efficacy of
the fix.
The five reported vulnerabilities are:
• Code injection - CVE-2018-19011;
• Command injection (2) - CVE-2018-19013
and CVE-2018-19015;
• Use after free - CVE-2018-19017;
and
• Type confusion - CVE-2018-19019
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to cause a
denial-of-service condition, and/or allow an attacker to achieve code execution
with privileges within the context of the application.
NOTE: The Omron release
notes for the new version recommended in this NCCIC-ICS advisory lists 8 ZDI
reported vulnerabilities (no details currently available on ZDI site) corrected
and a couple of other cybersecurity improvements that are included.
Posts
No comments:
Post a Comment