Today the DHS NCCIC-ICS published one control system
security advisory for products from Tridium and updates to two previously
published advisories for products from WECON and Rockwell.
Tridium Advisory
This advisory
describes two third-party vulnerabilities in the Tridium Niagara product. The
vulnerabilies are in the Blackberry QNX operating system. The vulnerabilities
were reported by Johannes Eger and Fabian Ullrich of Secure Mobile Networking
Lab, and Francisco Tacliad. Tridium has updates that mitigate the vulnerabilities.
There is no indication that the researchers have been provided the opportunity
to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Information exposure - CVE-2019-8998; and
• Improper authorization - CVE-2019-13528
NCCIC-ICS reported that a relatively low-skilled attacker
with local access could exploit the vulnerabilities to allow a local user to
escalate their privileges.
NOTE: Blackberry has published an
advisory on the first vulnerability.
WECON Update
This update
provides additional information on an advisory that was originally
published on February 5th, 2019. The new information includes
updated affected versions and mitigation information.
Rockwell Update
This update
provides additional information on an advisory that was originally
published on August 1st, 2019 and then updated on 09-05-19.
The new information is the addition of a new vulnerability; access of uninitialized
pointer - CVE-2019-13527.
NOTE: The updated Rockwell security advisory reports that kimiya of 9SG Security Team has reported 7
additional vulnerabilities, bringing the total to 15 for the Rockwell Arena
Simulation Software.
Posts
No comments:
Post a Comment