Thursday, October 31, 2019

4 Advisories Published – 10-31-19


Today the CISA NCCIC-ICS published four control system security advisories for products from Honeywell (3) and Advantech.

Cameras and Recorder Advisory


This advisory describes an authentication bypass by capture-replay vulnerability in the Honeywell equIP series and Performance series IP cameras and recorders. The vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to result in unauthenticated access.

NOTE: I briefly reported on this vulnerability on September 14th, 2019.

Cameras Advisory


This advisory describes a missing authentication for critical function vulnerability in the Honewell equIP series and Performance series IP cameras. The vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to could result in unauthenticated access.

 

equip Advisory


This advisory describes an improper input validation vulnerability in the Honeywell equIP series IP cameras. This vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in a denial of service.

NOTE: I briefly reported on this vulnerability on September 14th, 2019.

Advantech Advisory


This advisory describes four vulnerabilities in the Advatech WISE-PaaS/RMM IoT device remote monitoring and management platform. The vulnerabilities were reported by rgod of 9sg Security Team and trendytofu via the Zero Day Initiative (ZDI). The product is out-of-support and Advantech recommends replacing the product with EdgeSense and DeviceOn.

The four reported vulnerabilities are:

Path traversal - CVE-2019-13551;
Missing authorization - CVE-2019-13547;
Improper restriction of an XML external entity reference - CVE-2019-18227; and
SQL injection - CVE-2019-18229

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow information disclosure, remote code execution, and compromise system availability.

Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */