Wednesday, July 3, 2019

2 Advisories Published – 07-02-19


Yesterday the DHS NCCIC published two control system security advisories for products from Quest and Schneider Electric.

Quest Advisory


This advisory describes an improper input validation vulnerability in the Quest KACE Systems Management Appliance. The vulnerability was reported by Juan Pablo Lopez Yacubian. Quest reports that newer versions mitigate the vulnerability. There is no indication that Yacubian has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an administrative user unintentional access to the underlying operating system of the device.

Schneider Advisory


This advisory describes an improper check for unusual or exceptional conditions vulnerability in the Schneider Modicon Controllers. The vulnerability was reported by Zhang Xiaoming, Zhang Jiawei, Sun Zhonghao and Luo bing of CNCERT/CC. Schneider has new firmware versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

No comments:

 
/* Use this with templates/template-twocol.html */