Saturday, July 20, 2019

Public ICS Disclosures – Week of 07-13-19

This week we have one vendor disclosure from ABB, two updates of previously published advisories from GE Healthcare and BD and two researcher exploits for products from FANUC Robotics.

ABB Advisory

ABB has published an advisory describing an authentication bypass vulnerability in the ABB CCLAS and
Ellipse applications. The vulnerability is self-reported. ABB has new versions that mitigate the vulnerability.

GE Healthcare Update

GE Healthcare has updated an advisory that was originally published on July 9th, 2019. The new information expands the list of affected products.

BD Update

BD has updated an advisory that was originally published on November 1st, 2016 (this has not been reported by NCCIC-ICS). BD notes:

“As a result, BD has issued this updated security bulletin to remind customers, hospital biomedical engineering, and rental companies that Service Bulletin 597 must be followed to remove residual data on the PCU prior to re-deployment or during decommissioning. BD has carefully reviewed the misdirected data, and determined that it is de-identified based on a statistical expert opinion, and therefore, not protected health information. In addition, BD conducted a risk assessment using the HIPAA 4-factor test and concluded there was a low probability of compromise of such data.”

FANUC Robotics Exploits

Sebastian Hamann has published exploits for two vulnerabilities in the FANUC Robotics Virtual Robot Controller. Hamann has not received any response from FANUC concerning these vulnerabilities.

The reported two vulnerabilities (links provided to Hamann’s exploit reports) are:

Stack-based buffer overflow - CVE-2019-13585; and
Path traversal - CVE-2019-13584

No comments:

/* Use this with templates/template-twocol.html */