Yesterday the DHS NCCIC-ICS published two control system
security advisories for products from EZAutomation.
PLC Editor Advisory
This advisory
describes an improper restriction of operations within the bounds of a memory
buffer vulnerability in the EZAutomation EZ PLC Editor. The vulnerability was
reported by 9sg Security Team via the Zero Day Initiative. EZAutomation has a
new version that mitigates the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an attacker
to execute code under the privileges of the application.
EZ Touch Editor Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the EZAutomation EZ
Touch Editor. The vulnerability was reported by 9sg Security Team via the Zero
Day Initiative. EZAutomation has a new version that mitigates the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an attacker
to execute code under the privileges of the application.
Posts
No comments:
Post a Comment