On Thursday the DHS NCCIC-ICS published two control system
security advisories for products from Fuji Electric and Schneider Electric.
Fuji Advisory
This advisory
describes an out-of-bounds read vulnerability in the Fuji Alpha7 PC Loader motor
controller. The vulnerability was reported by kimiya of 9SG Security Team via
the Zero Day Initiative. Fuji has a new version that mitigates the
vulnerability. There is no indication that kimiya has been provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to crash the
device..
Schneider Advisory
This advisory
describes a use of insufficiently random values vulnerability in the Schneider Modicon
M580, Modicon M340, Modicon Premium, and Modicon Quantum products. The vulnerability
was reported by David Formby and Raheem Beyah of Fortiphyd Logic and Georgia
Tech. Schneider has a firmware update available for one of the products and has
provided generic workarounds for the others. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to to hijack TCP connections or cause
information leakage.
Posts
No comments:
Post a Comment