Today the DHS NCCIC-ICS published three control system
security advisories for products from PEPPERL+FUCHS, Gemalto and Leão
Consultoria e Desenvolvimento de Sistemas Ltda (LCDS).
PEPPERL+FUCHS Advisory
This advisory describes
a path traversal vulnerability in the PEPPERL+FUCHS WirelessHART-Gateways. The
vulnerability was publicly
reported (with exploit) by Hamit CİBO. PEPPERL+FUCHS has firmware upgrades
to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could use publicly available code to remotely exploit this vulnerability to allow
access to files and restricted directories stored on the device through the
manipulation of file parameters.
NOTE: I briefly
reported on this vulnerability last Saturday.
Gemalto Advisory
This advisory describes
an uncontrolled search path element in the Gemalto Sentinel UltraPro. The vulnerability
was reported by ADLab of Venustech. Gemalto has a software update to mitigate
the vulnerability. There is no indication that the researchers were provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to load and
execute a malicious file from the ux32w.dll in Sentinel UltraPro.
NOTE: Gemalto issued an early warning to upgrade the
UltraPro software back on January 19th, 2019 with a restricted
link to their advisory on this product. I do not know what information was included in that advisory.
LCDS Advisory
This advisory describes
an out-of-bounds write vulnerability in the LCDS LAquis SCADA. The
vulnerability was reported by Mat Powel via the Zero Day Infitiative. LCDS has
a new version that mitigates the vulnerability. There is no indication that
Powel was provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to allow remote
code execution.
Posts
No comments:
Post a Comment