Today the DHS NCCIC-ICS published two control system
security advisories for products from Schneider and IDenticard. They also
updated two previously published advisories for products from Omron and Siemens
Schneider Advisory
This advisory
describes three vulnerabilities in the Schneider EVLink Parking product. The vulnerabilities
were reported by Vladimir Kononovich and Vyacheslav Moskvin of Positive
Technologies. Schneider has an update available that mitigates the vulnerabilities.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Use of hardcoded credentials - CVE-2018-7800;
• Code injection - CVE-2018-7801;
and
• SQL injection - CVE-2018-7802
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to stop the
device and prevent charging, execute arbitrary commands, and access the web
interface with full privileges.
NOTE: I briefly
discussed these vulnerabilities in December just as the Federal Funding
Fiasco started.
IDenticard Advisory
This advisory
describes three vulnerabilities in the IDenticard PremiSys WCF Service access
control system. The vulnerabilities were reported by Jimi Sebree working with
Tenable. IDenticard has a software update that mitigates two of the three
vulnerabilities. There is no indication that Sebree has been provided an
opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Hard-coded credentials - CVE-2019-3906;
• Inadequate encryption strength - CVE-2019-3907;
and
• Use of hard-coded password - CVE-2019-3908
NCCIC-ICS reports that a relatively low-skilled attacker
could use a publicly
available information to exploit the vulnerability to view sensitive
information via backups, obtain access to credentials, and/or obtain full
access to the system with admin privileges.
NOTE: The Tenable report on these vulnerabilities add a four
vulnerability; default database credentials - CVE-2019-3909.
Omron Update
This update
provides additional information on an advisory that was originally
published on October 18th, 2018. The update added Esteban Ruiz
(mr_me) of Source Incite as one of the researchers reporting the
vulnerabilities.
Siemens Update
This update
provides additional information on an advisory that was originally published on
June 14th, 2018. The update added affected version information and
provided a mitigation link for RUGGEDCOM WiMAX.
NOTE: I briefly
discussed this update (and six other Siemens updates published on the same
day) earlier this month.
Posts
No comments:
Post a Comment