Yesterday the DHS NCCIC-ICS published a control system security
advisory for products from Johnson Controls.
The advisory
describes an unquoted search path or element vulnerability in the Johnson
Controls exacqVision Server. The vulnerability was reported by Gjoko Kristic of
Applied Risk. Johnson Controls has a new version that mitigates the vulnerability.
There are no indications that Kristic has been provided an opportunity to verify
the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker with
uncharacterized access could exploit this vulnerability to allow an
unauthenticated user to elevate their privileges.
Posts
No comments:
Post a Comment