Yesterday the DHS NCCIC-ICS published a control system
security advisory for products from Rockwell and a medical device security advisory
for products from Fujifilm.
Rockwell Advisory
This advisory describes
an open redirect vulnerability in the Rockwell MicroLogix 1400 and CompactLogix
5370 Controllers. The vulnerability was reported by Josiah Bryan and Geancarlo
Palavicini. Rockwell has new versions or updates to mitigate the
vulnerabilities in most devices. There is no indication that the researchers
have verified the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to input a malicious link redirecting
users to a malicious website.
Fujifilm Advisory
This advisory describes
two vulnerabilities in the Fujifilm FCR Capsula X/Carbon X. The vulnerability
was reported by Marc Ruef and Rocco Gagliardi of Scip AG. Fujifilm has provided
generic mitigation measures. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Uncontrolled resource consumption - CVE-2019-10948;
and
• Improper access control - CVE-2019-10950.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to effect a denial-of-service
condition in affected cassette reader units, causing potential image loss or
device unavailability. Attackers could gain unauthorized access to the
underlying operating system, allowing arbitrary code execution.
Posts
No comments:
Post a Comment