Tuesday, May 28, 2019

One Advisory Published – 05-28-19


Today the DHS NCCIC-ICS published a control system advisory for products from Emerson. The advisory describes two vulnerabilities in the Emerson Ovation OCR400 Controller. The vulnerability was reported by VDLab. Emerson has provided detailed mitigation measures. There is no indication that VDLab has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Stack-based buffer overflow - CVE-2019-10967; and
Heap-based buffer overflow - CVE-2019-10965

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow privilege escalation or remote code execution, or it may halt the controller.

NOTE: The advisory notes that the vulnerabilities are “in the embedded third-party FTP server”. Failure to name the third-party vendor means it will be difficult for other vendors to know if the same vulnerability might exist in any of their products using a ‘third-party FTP server’.


No comments:

 
/* Use this with templates/template-twocol.html */