Yesterday the DHS NCCIC published two control system
security advisories for products from Quest and Schneider Electric.
Quest Advisory
This advisory
describes an improper input validation vulnerability in the Quest KACE Systems
Management Appliance. The vulnerability was reported by Juan Pablo Lopez
Yacubian. Quest reports that newer versions mitigate the vulnerability. There
is no indication that Yacubian has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to allow an administrative user
unintentional access to the underlying operating system of the device.
Schneider Advisory
This advisory
describes an improper check for unusual or exceptional conditions vulnerability
in the Schneider Modicon Controllers. The vulnerability was reported by Zhang
Xiaoming, Zhang Jiawei, Sun Zhonghao and Luo bing of CNCERT/CC. Schneider has
new firmware versions that mitigate the vulnerability. There is no indication
that the researchers have been provided an opportunity to verify the efficacy
of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to cause a denial-of-service
condition.
Posts
No comments:
Post a Comment