Tuesday, May 21, 2019

Two Advisories Published – 05-21-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Computrols.

Mitsubishi Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC-Q series Ethernet module. The vulnerability was reported by Younes Dragoni and Alessandro Di Pinto of Nozomi Networks. Mitsubishi has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to render the device unresponsive, requiring a physical reset of the PLC (Programmable Logic Controller).

Computrols Advisory


This advisory describes nine vulnerabilities in the Computrols CBAS Web, a Web Building Management System (BMS). The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Computrols has new firmware versions that mitigate the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

Cross-site request forgery - CVE-2019-10847;
Information exposure through discrepancy - CVE-2019-10848;
Cross-site scripting - CVE-2019-10846;
Command injection - CVE-2019-10854;
Information exposure through source code - CVE-2019-10849;
Hard-coded encryption key - CVE-2019-10851;
SQL injection - CVE-2019-10852;
Authentication bypass using alternate path or channel - CVE-2019-10853; and
Inadequate encryption strength - CVE-2019-10855

NOTE: the Applied Risk report and the Computrols advisory also include an additional vulnerability; default credentials - CVE-2019-10850.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow unauthorized actions with administrative privileges, disclosure of sensitive information, execution of code within a user’s browser, execution of unauthorized OS commands, unauthorized access to the database, execution of unauthorized SQL commands, authentication bypass, or decryption of passwords.

NOTE: I briefly discussed these vulnerabilities on Saturday.

Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */