Today the DHS NCCIC-ICS published a control system security
advisory for products from PSI GridConnect and an update for a previously
published advisory for products from Kunbus.
PSI Advisory
This advisory
describes a cross-site scripting vulnerability in the PSI Telecontrol Gateway,
Smart Telecontrol Unit family, and IEC104
Security Proxy. The vulnerability was reported by M. Can Kurnaz. PSI has a
version that mitigates the vulnerability. There is no indication that Kurnaz
has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to execute
dynamic scripts in the context of the application, which could allow cross-site
scripting attacks.
Kunbus Update
This update
provides additional information on an advisory that was originally
published on February 5th, 2019 and updated on February
7th, 2019. The update provides a link to a new version that
mitigates the vulnerabilities. There is no indication that the researcher
involved was provided an opportunity to verify the efficacy of the fix.
Posts
No comments:
Post a Comment