Today the DHS NCCIC-ICS published a control system advisory
for products from Emerson. The advisory
describes two vulnerabilities in the Emerson Ovation OCR400 Controller. The
vulnerability was reported by VDLab. Emerson has provided detailed mitigation
measures. There is no indication that VDLab has been provided an opportunity to
verify the efficacy of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2019-10967; and
• Heap-based buffer overflow - CVE-2019-10965
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow privilege escalation or
remote code execution, or it may halt the controller.
NOTE: The advisory notes that the vulnerabilities are “in
the embedded third-party FTP server”. Failure to name the third-party vendor
means it will be difficult for other vendors to know if the same vulnerability
might exist in any of their products using a ‘third-party FTP server’.
Posts
No comments:
Post a Comment