This week we have three new vendor disclosures concerning
the VxWorks URGENT/11 vulnerabilities and three researcher announcements of
vulnerabilities in products from Reliable Controls (2) and VISAM
URGENT/11 Advisories
Three new vendors have published advisories related to the VxWorks
URGENT/11 vulnerabilities
reported by Amis Labs; Bosch, Omron
and Philips. Below I have listed links to all of the vendor disclosures that I
have discovered to date:
• Rockwell,
• Xerox,
and
• Siemens
(in an out-of-cycle report);
• Schneider;
and
• ABB, in:
◦ AC
800PEC;
• Belden
• Omron
(not affected)
• Philips
It is great to see that Omron is reporting no exposure to
the vulnerabilities. That is as valuable to their customers as the advisories
being published by affected vendors.
Reliable Controls Advisories
MACH-ProWeb Advisory
Applied Risk published a
report describing a relflected XSS vulnerability in the Reliable Controls MACH-ProWeb
BACnet Building Controller. Applied Risk reports that they have not received a
response from the vendor to their January 29th, 2019 report on this vulnerability.
Reliable Controls LicenseManager
Advisory
Applied Risk published a
report describing a privilege escalation vulnerability in the Reliable Controls
RC-LicenseManager in the Reliable Controls RC-Studio (MACH-System) software. Applied
Risk reports that they have not received a response from the vendor to their January
29th, 2019 report on this vulnerability.
VISAM Advisory
Applied Risk has publihsed a
report describing five vulnerabilities in the VISAM Automation Base (VBASE) HMI
/ SCADA. Applied Risk reports that as of July 8th, 2019 (apparently
the date of last communication from VISAM) no mitigation has been made
available for these vulnerabilities.
The five reported vulnerabilities are:
• Information disclosure via
directory traversal;
• Insecure file permissions
privilege escalation;
• Password protection security
bypass;
• Cryptographic key disclosure; and
• Buffer overflow
Posts
No comments:
Post a Comment