Saturday, February 2, 2019

Public ICS Disclosures – Week of 01-26-19

Tenable published a report on three vulnerabilities in the LabKey Server Community medical data collaboration tool. LabKey has produced a new version that mitigates the vulnerabilities. There is no indication that Tenable has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2019-3911;
• Open redirects - CVE-2019-3912; and
Logic flaw in network drive mapping functionality - CVE-2019-3913

NOTE: The Tenable report includes proof of concept exploit details.

OSIsoft Alert

OSIsoft has published an alert for a Windows® update problem for the OSIsoft PI Interface for OPC DA/HDA/Alarms and Events product. Under specific conditions running the Windows security update KB4480960 will result in a denial of service condition. The condition can be mitigated by applying the Microsoft hotfix KB4487345.

Okay, this is not actually a security vulnerability, but it is a potential problem arising from the application of a security measure; applying a product update. This is a good example of why it is necessary to apply updates to a non-operational version of the control system network prior to applying it to the operational version. Identifying the problem and fixing it may be a pain, but operations are not affected.

No comments:

/* Use this with templates/template-twocol.html */