This week we have one vendor disclosure for products from CODESYS
and two exploits for previously disclosed vulnerabilities for products from
NUOO.
CODESYS Advisory
CODESYS has published an advisory
that describes a directory traversal vulnerability in their runtime system. This
vulnerability was reported by Ivan Cheyrezy of Schneider Electric. 3S has
released a new version that mitigates the vulnerability. There is no indication
that Cheyrezy has been provided an opportunity to verify the efficacy of the
fix.
NOTE: Somehow, I suspect that Schneider identified this
vulnerability in one of their products and traced it back to CODESYS code in
that product. We may be seeing a Schneider advisory for this vulnerability in
the near future.
NUOO Exploits
Pedro Ribeiro published two Metasploit modules for two
vulnerabilities (here
and here) that he had previously
disclosed through NCCIC-ICS for vulnerabilities in the NUOO Central
Management Software platform.
The two vulnerabilities for which the Metasploit modules
were published are:
• Unrestricted upload of file of
dangerous type; and
• SQL injection
Posts
No comments:
Post a Comment