Today the DHS NCCIC-ICS published three control system
security advisories for products from Honeywell, Siemens and Advantech.
Honeywell Advisory
The advisory
describes an information exposure vulnerability in the Honeywell Performance IP Series cameras and Performance
Series NVRs are affected. The vulnerability was reported by Ismail Bulbil.
Honeywell has an update that mitigates the vulnerability. There is no
indication that Bulbil has been provided an opportunity to verify the efficacy
of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to view device configuration
information.
NOTE 1: The Honeywell
advisory for this vulnerability was published on April 30th, 2019.
Two additional advisories were published last Friday. I will discuss these on
Saturday unless NCCIC-ICS publishes their advisories later this week.
NOTE 2: The link to the Honeywell advisory in this advisory does
not work.
Siemens Advisory
The advisory
describes four vulnerability in the Siemens SINEMA Remote Connect Server. The
vulnerabilities were reported by Hendrik Derre and Tijl Deneut from HOWEST.
Siemens has a new version that mitigates the vulnerabilities. There is no
indication that the researchers have been provided an opportunity to verify the
efficacy of the fix.
The four reported vulnerabilities are:
• Improper restriction of excessive authentication
attempts - CVE-2019-13918;
• Information exposure - CVE-2019-34623;
• Cross-site request forgery - CVE-2019-13920; and
• Use of password hash with insufficient computational
effort - CVE-2019-13922
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerabilities to allow an attacker unauthorized access
to the web interface, improper access to privileged user and device
information, and may allow successful CSRF attacks.
NOTE: I briefly
reported on these vulnerabilities last Saturday.
Advantech Advisory
The advisory
describes four vulnerabilities in the Advantech WebAccess HMI platform. The vulnerabilities
were reported by Peter Cheng of Elextec Security Tech. Co., and Mat Powell of
the Zero Day Initiative. Advantech has a new version that mitigates the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
The four reported advisories are:
• Code injection (2) - CVE-2019-13558, and CVE-2019-13552;
• Stack-based buffer overflow - CVE-2019-13556; and
• Improper authorization - CVE-2019-13550
Posts
No comments:
Post a Comment