Today the DHS NCCIC-ICS published two control system
security advisories for products from Columbia Weather Systems and AVEVA.
Columbia Advisory
This advisory
describes six vulnerabilities in the Columbia Weather MicroServer weather
monitoring system. The vulnerabilities were reported by John Elder and Tom
Westenberg of Applied Risk. Columbia has a firmware update that mitigates the vulnerability.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
The six reported vulnerabilities are:
• Cross-site scripting (2) - CVE-2018-18875
and CVE-2018-18880;
• Path traversal - CVE-2018-18876;
• Improper authentication - CVE-2018-18877;
• Improper input validation - CVE-2018-18878;
and
• Code injection - CVE-2018-18879
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow disclosure of data, cause
a denial-of-service condition, and allow remote code execution.
AVEVA Advisory
This advisory
describes an uncontrolled search path element vulnerability in the AVEVA InduSoft
Web Studio, InTouch Edge HMI products. The vulnerability is in a third-party
component; Gemalto Sentinel UltraPro encryption keys (separately reported
last week). The vulnerability was reported by ADLab of Venustech. AVEVA has
updates available to mitigate the vulnerability. There is no indication that
the researchers have been provided an opportunity to verify the efficacy of the
fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to allow execution
of unauthorized code or commands.
NOTE: I wonder how many other vendors are using the Gemalto
product?
Posts
No comments:
Post a Comment