Today the CISA NCCIC-ICS published two control system
security advisories for products from Honeywell and Rittal; a medical device
security advisory for products from Philips; and an update for an advisory for
products from Moxa.
Honeywell Advisory
This advisory
describes a missing authentication for critical function vulnerability in the
Honeywell IP-AK2 Access Control Panel. The vulnerability was reported by Maxim
Rupp. Honeywell has a new firmware version that mitigates the vulnerability.
There is no indication that Maxim was provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to download
configuration files directly through a URL without authentication, exposing
configuration and authorized visitor information.
Rittal Advisory
This advisory
describes two vulnerabilities in the Rittal Chiller SK 3232-Series. The
vulnerabilities were reported by Applied Risk. Rittal will only provide
mitigation information via email (presumably to their customers). The Applied
Risk report
notes that: “There has been no fix supplied by the vendor. The vendor was
contacted regarding the vulnerabilities on 2nd of January 2019, but did not
provide a response.”
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to disrupt the primary operations of
the affected component, shut down cooling to other equipment, and allow changes
to the temperature set point.
NOTE: Applied Risk reports that the vulnerability resides in
the third-party ethernet interface card, Carel pCOWeb. The website
for that product provides a lengthy list of other products from multiple vendors
that use the same interface card. Presumably some or all of those products may
be affected by the same vulnerabilities.
Philips Advisory
This advisory
describes an exposure of resources to wrong sphere vulnerability in the Philips
IntelliSpace Perinatal obstetrics information management system. The vulnerability
was reported by Brian Landrum of Coalfire LABS. Philips has provided generic
workarounds and may provide an update next year that may address the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to allow an
attacker unauthorized access to system resources, including access to execute
software or to view/update files, directories, or system configuration.
Moxa Update
This update
provides additional information on an advisory that was originally
published on February 26th, 2019. The new information includes:
• Added affected firmware version on IKS-G6824;
• Added recommend browsers information for vulnerability 7 of IKS-G6824 (CVE-2019-6561); and
• Added link
to Moxa advisory (not annotated as a change on the NCCIC-ICS advisory).
Posts
No comments:
Post a Comment