Yesterday the DHS NCCIC-ICS published a control system
security advisory for products from Rockwell and a medical device security
advisory for products from Philips.
Rockwell Advisory
This advisory
describes two vulnerabilities in the Rockwell CompactLogix 5370 programmable
automation controllers. The vulnerabilities were reported by Younes Dragoni of
Nozomi Networks and George Lashenko of CyberX respectively. Rockwell has
firmware updates to mitigate the vulnerabilities. There is no indication that
either researcher was provided an opportunity to verify the efficacy of the
fix.
The two reported vulnerabilities are:
• Uncontrolled resource consumption - CVE-2019-10952;
and
• Stack-based buffer overflow - CVE-2019-10954
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow a remote attacker to render
the web server unavailable and/or place the controller in a major
non-recoverable faulted state (MNRF).
Philips Advisory
This advisory
describes a cross-site scripting vulnerability in the Philips Tasy EMR workflow
based information system. The vulnerability was reported by Rafael Honorato.
Phillips has provided generic workarounds to mitigate the vulnerability. There
in no indication that Honorato has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with site or VPN access could exploit the vulnerability to provide unexpected
input into the application, execute arbitrary code, alter the intended control
flow of the system, and access sensitive information.
Posts
No comments:
Post a Comment