Thursday, October 24, 2019

3 Advisories and 1 Update Published – 10-24-19

Today the CISA NCCIC-ICS published two control system security advisories for products from Honeywell and Rittal; a medical device security advisory for products from Philips; and an update for an advisory for products from Moxa.

Honeywell Advisory

This advisory describes a missing authentication for critical function vulnerability in the Honeywell IP-AK2 Access Control Panel. The vulnerability was reported by Maxim Rupp. Honeywell has a new firmware version that mitigates the vulnerability. There is no indication that Maxim was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to download configuration files directly through a URL without authentication, exposing configuration and authorized visitor information.

Rittal Advisory

This advisory describes two vulnerabilities in the Rittal Chiller SK 3232-Series. The vulnerabilities were reported by Applied Risk. Rittal will only provide mitigation information via email (presumably to their customers). The Applied Risk report notes that: “There has been no fix supplied by the vendor. The vendor was contacted regarding the vulnerabilities on 2nd of January 2019, but did not provide a response.”

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to disrupt the primary operations of the affected component, shut down cooling to other equipment, and allow changes to the temperature set point.

NOTE: Applied Risk reports that the vulnerability resides in the third-party ethernet interface card, Carel pCOWeb. The website for that product provides a lengthy list of other products from multiple vendors that use the same interface card. Presumably some or all of those products may be affected by the same vulnerabilities.

Philips Advisory

This advisory describes an exposure of resources to wrong sphere vulnerability in the Philips IntelliSpace Perinatal obstetrics information management system. The vulnerability was reported by Brian Landrum of Coalfire LABS. Philips has provided generic workarounds and may provide an update next year that may address the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker unauthorized access to system resources, including access to execute software or to view/update files, directories, or system configuration.

Moxa Update

This update provides additional information on an advisory that was originally published on February 26th, 2019. The new information includes:

• Added affected firmware version on IKS-G6824;
• Added recommend browsers information for vulnerability 7 of IKS-G6824 (CVE-2019-6561); and
• Added link to Moxa advisory (not annotated as a change on the NCCIC-ICS advisory).

No comments:

/* Use this with templates/template-twocol.html */