Thursday, February 28, 2019

One Advisory and One Update Published – 02-28-19

Today the DHS NCCIC-ICS published a control system security advisory for products from PSI GridConnect and an update for a previously published advisory for products from Kunbus.

PSI Advisory

This advisory describes a cross-site scripting vulnerability in the PSI Telecontrol Gateway, Smart Telecontrol Unit family,  and IEC104 Security Proxy. The vulnerability was reported by M. Can Kurnaz. PSI has a version that mitigates the vulnerability. There is no indication that Kurnaz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to execute dynamic scripts in the context of the application, which could allow cross-site scripting attacks.

Kunbus Update

This update provides additional information on an advisory that was originally published on February 5th, 2019 and updated on February 7th, 2019. The update provides a link to a new version that mitigates the vulnerabilities. There is no indication that the researcher involved was provided an opportunity to verify the efficacy of the fix.

No comments:

/* Use this with templates/template-twocol.html */