Today the DHS NCCIC-ICS published a control system security advisory for products from Zebra and two updates for advisories for products from Siemens and Sierra Wireless.
Zebra Advisory
This advisory describes an insufficiently protected credentials vulnerability in the Zebra Industrial Printers. The vulnerability was reported by Tri Quach. Zebra has a new version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a remote attacker to send specially crafted packets to a port on the printer, resulting in the retrieval of a front control panel passcode.
Siemens Update
This update provides new information on an advisory that was originally published on August 13th, 2019. NCCIC-ICS changed the vulnerability description from ‘uncontrolled resource consumption’ to ‘insufficient resource pool’. There was no corresponding change in the Siemens advisory; Siemens does not use CWE vulnerability titles or codes in their advisories.
Sierra Wireless Update
This update provides new information on an advisory that was originally published on May 2nd, 2019. The update reports that the ALEOS 4.12.0 Release Note is now available.
Zebra Advisory
This advisory describes an insufficiently protected credentials vulnerability in the Zebra Industrial Printers. The vulnerability was reported by Tri Quach. Zebra has a new version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a remote attacker to send specially crafted packets to a port on the printer, resulting in the retrieval of a front control panel passcode.
Siemens Update
This update provides new information on an advisory that was originally published on August 13th, 2019. NCCIC-ICS changed the vulnerability description from ‘uncontrolled resource consumption’ to ‘insufficient resource pool’. There was no corresponding change in the Siemens advisory; Siemens does not use CWE vulnerability titles or codes in their advisories.
Sierra Wireless Update
This update provides new information on an advisory that was originally published on May 2nd, 2019. The update reports that the ALEOS 4.12.0 Release Note is now available.
Posts
No comments:
Post a Comment