Today the DHS NCCIC-ICS published a controls system security
advisory for products from Red Lion Contols and a medical device security
advisory for products from BD. They also published two advisory updates for
products from Rockwell.
Red Lion Advisory
This advisory
describes four vulnerabilities in the Red Lion Controls Crimson (Windows
configuration software). The vulnerabilities were reported by Michael DePlante,
Anthony Fuller, and Todd Manning via the Zero Day Initiative. Red Lion has a
new release that mitigates the vulnerabilities. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The four reported advisories are:
• Use after free - CVE-2019-10996;
• Improper restriction of operations within the
bounds of a memory buffer - CVE-2019-10978;
• Pointer issues - CVE-2019-10984; and
• Use of hard-coded cryptographic key - CVE-2019-10990
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to execute
code, crash the device, or view protected data.
BD Advisory
This advisory
describes a session fixation vulnerability in the BD Pyxis medication
management platform. The vulnerability is self-reported. BD has a new version
that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow the Active Directory (AD)
credentials of a previously authenticated user to gain access to the device.
This could result in an attacker having the same level of privilege previously
granted to a user prior to account expiration, and could allow access to
patient data and medications. The BD
advisory reports that “a malicious attacker must bypass physical controls
to obtain physical access to the hospital, physical access to the devices
impacted and utilize expired Active Directory credentials.”
Medical Device Security Patient Engagement Meeting
The FDA announced
that the Center for Devices and Radiological Health’s (CDRH) Patient Engagement
Advisory Committee will be holding a meeting on September 10th, 2019
to address “Cybersecurity in Medical Devices:
Communication That Empowers Patients”. The meeting will be webcast and
the public is invited to participate.
Allan Bradley Update
This update
provides additional information on an advisory that was originally
published on February 19th, 2019 (not the 2-9-19 date reported
in the update). The new information includes a link to a patch that mitigates
the vulnerabilities.
NOTE: I briefly
reported on the Rockwell update last Saturday.
Arena Simulation Update
This update
provides additional information on an advisory that was originally
published on August 1st, 2019. The new information includes:
• Two new vulnerabilities (type confusion and insufficient
UI warning of dangerous operations); and
• Removes link to Rockwell advisory.
NOTE 1: The link provided in the original advisory did not
work. Here is the one that I use to get to the list of Rockwell advisories (log
in required) https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102.
NOTE 2: There is no corresponding update to the Rockwell
Advisory.
Posts
No comments:
Post a Comment