Today the DHS NCCIC-ICS published two control system
security advisories for products from Mitsubishi Electric and Computrols.
Mitsubishi Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC-Q
series Ethernet module. The vulnerability was reported by Younes Dragoni and
Alessandro Di Pinto of Nozomi Networks. Mitsubishi has a new firmware version
that mitigates the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to render the device unresponsive,
requiring a physical reset of the PLC (Programmable Logic Controller).
Computrols Advisory
This advisory
describes nine vulnerabilities in the Computrols CBAS Web, a Web Building
Management System (BMS). The vulnerabilities were
reported by Gjoko Krstic of Applied Risk. Computrols has new firmware versions
that mitigate the vulnerabilities. There is no indication that Krstic has been
provided an opportunity to verify the efficacy of the fix.
The nine reported vulnerabilities are:
• Cross-site request forgery - CVE-2019-10847;
• Information exposure through discrepancy - CVE-2019-10848;
• Cross-site scripting - CVE-2019-10846;
• Command injection - CVE-2019-10854;
• Information exposure through source code - CVE-2019-10849;
• Hard-coded encryption key - CVE-2019-10851;
• SQL injection - CVE-2019-10852;
• Authentication bypass using alternate path or
channel - CVE-2019-10853; and
• Inadequate encryption strength - CVE-2019-10855
NOTE: the Applied Risk report and the Computrols
advisory also include an additional vulnerability; default credentials - CVE-2019-10850.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow unauthorized actions with
administrative privileges, disclosure of sensitive information, execution of
code within a user’s browser, execution of unauthorized OS commands,
unauthorized access to the database, execution of unauthorized SQL commands,
authentication bypass, or decryption of passwords.
NOTE: I briefly
discussed these vulnerabilities on Saturday.
Posts
No comments:
Post a Comment