This advisory
describes two vulnerabilities in the Panasonic Control FPWIN Pro PLC
programming software. The vulnerability was reported by kimiya of 9sg Security
Team via the Zero Day Initiative. Panasonic has a new version that mitigates
the vulnerability. There is no indication that kimiya has been provided an
opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2019-6530; and
• Type Confusion - CVE-2019-6532
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to crash the device
and allow remote code execution.
Optergy Advisory
This advisory
describes eight vulnerabilities in the Optergy Proton/Enterprise Building
Management System. The vulnerabilities were reported by Gjoko
Krstic of Applied Risk. Optergy has a new version that mitigates the vulnerability.
There is no indication that Krstic has been provided an opportunity to verity
the efficacy of the fix.
The eight reported vulnerabilities are:
• Information exposure (2) - CVE-2019-7272 and
CVE-2019-7277;
• Cross-site request forgery - CVE-2019-7273;
• Unrestricted upload of file with dangerous type - CVE-2019-7274;
• Open redirect - CVE-2019-7275;
• Hidden functionality - CVE-2019-7276
• Exposed dangerous method or function - CVE-2019-7278;
and
• Use of hard-coded credentials - CVE-2019-7279
NOTE: I briefly
reported on these vulnerabilities last month. Interestingly, the Applied
Risk advisory describes six vulnerabilities but provided all eight of the above
CVE’s.
Posts
No comments:
Post a Comment