Tuesday, February 26, 2019

One Advisory Published – 02-26-19

Today the DHS NCCIC-ICS published a control system security advisory for products from Moxa. The advisory describes ten vulnerabilities in the Moxa IKS and EDS industrial switches. The vulnerabilities were reported by Ivan B, Sergey Fedonin, and Vyacheslav Moskvin of Positive Technologies Security. Moxa has a firmware patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Classic buffer overflow - CVE-2019-6557;
• Cross-site request forgery - CVE-2019-6561;
• Cross-site scripting - CVE-2019-6565;
• Improper access control - CVE-2019-6520;
• Improper restriction of excessive authentication request - CVE-2019-6524;
• Missing encryption of sensitive data - CVE-2019-6526;
• Out-of-bounds read - CVE-2019-6522;
• Unprotected storage of credentials - CVE-2019-6518;
• Predictable from observable state - CVE-2019-6563; and
Uncontrolled resource consumption - CVE-2019-6559

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow the reading of sensitive information, remote code execution, arbitrary configuration changes, authentication bypass, sensitive data capture, reboot of the device, device crash, or full compromise of the device.

No comments:

/* Use this with templates/template-twocol.html */