Today the DHS NCCIC-ICS published a control system security
advisory for products from Johnson Controls and a medical device security advisory
for products from Drager.
Johnson Controls Advisory
This advisory
describes two vulnerabilities in the Johnson Controls Facility Explorer. The
vulnerabilities were reported by Tridium. Johnson Controls has new versions
that mitigate the vulnerabilities. There is no indication that Tridium has been
provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Path traversal - CVE-2017-16744;
and
• Improper authentication - CVE-2017-16748
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to allow an attacker to read, write, and
delete sensitive files to gain administrator privileges in the Facility
Explorer system.
Drager Advisory
This advisory
describes three vulnerabilities in the Drager Infinity Delta patient monitoring
devices. The vulnerabilities were reported by Marc Ruef and Rocco Gagliardi, of
scip AG. Drager has new versions that mitigate the vulnerabilities. There is no
indication that the researchers have been provided an opportunity to verify the
efficacy of the fix.
The three reported vulnerabilities are:
• Improper input validation - CVE-2018-19010;
• Information exposure through log
files - CVE-2018-19014; and
• Improper privilege management - CVE-2018-19012
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to cause
information disclosure of device logs, denial of service through device reboots
of the patient monitors, and privilege escalation.
NOTE: The Drager
security advisory adds an additional vulnerability for one of the affected
products; “Several 3rd party components were found outdated and vulnerable to
several published security vulnerabilities.”
Posts
No comments:
Post a Comment