Yesterday the DHS NCCIC-ICS published two control system
security advisories for products from National Renewable Energy Laboratory
(NREL) and Mitsubishi Electric. They also updated a previously published medical
device advisory from GE Healthcare.
NREL Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the NREL EnergyPlus
Energy simulation program. The vulnerability was reported by Karn Ganeshen.
NREL has an update available that mitigates the vulnerability. There is no indication
that Ganeshen has been provided an opportunity to verify the efficacy of the
fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
attacker to execute arbitrary code or cause a denial-of-service condition.
NOTE: There is nothing on the DOE’s EnergyPlus web site about this
vulnerability, nor do I see any POC for reporting cybersecurity concerns. DOE,
really?
Mitsubishi Advisory
This advisory
describes two vulnerabilities in the Mitsubishi Electric FR Configurator. The
vulnerability was reported by Applied Risk. Mitsubishi has a new version that
mitigates the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper restriction of an XML external entity
reference - CVE-2019-10976; and
• Uncontrolled resource consumption - CVE-2019-10972
NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to enable arbitrary
files to be read or cause a denial-of-service condition.
GE Update
This update
provides additional information on an advisory that was originally
reported on July 9th, 2019. The new information is the addition
of more covered products.
NOTE: I briefly
reported on GE’s update last Saturday.
Posts
No comments:
Post a Comment