Yesterday the CISA NCCIC-ICS published two control system
security advisories for products from Fuji Electric and Mitsubishi Electric;
and two medical device security advisories for products from Medtronic (2). The
also updated a previously published medical device advisory for products from
Philips.
Fuji Advisory
This advisory
describes a heap-based buffer overflow vulnerability in the Fuji V-Server. The vulnerability
was reported by kimiya of 9SG via the Zero Day Initiative. Fuji has a new version
that mitigates the vulnerability. There is no indication that kimiya has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to crash the device
being accessed; several heap-based buffer overflows have been identified.
Mitsubishi Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC-Q
Series and MELSEC-L Series CPU Modules. The vulnerability was reported by Tri
Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group.
Mitsubishi has a new firmware version that mitigates the vulnerability. There
is no indication that Tri has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to prevent the FTP client from
connecting to the FTP server on MELSEC-Q Series and MELSEC-L Series CPU module.
Only FTP server function is affected by this vulnerability.
Medtronic Advisory #1
This advisory
describes two RFID security vulnerabilities in the Medtronic Valleylab energy
and electrosurgery products. The vulnerabilities are self-reported. Medtronic
has a patch available to mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Improper authentication - CVE-2019-13531;
and
• Protection mechanism failure - CVE-2019-13535
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to allow an
attacker to connect inauthentic instruments to the affected products by
spoofing RFID security mechanisms. This may lead to a loss of performance
integrity and platform availability due to incorrect identification of
instrument and associated parameters.
Medtronic Advisory #2
This advisory
describes four vulnerabilities in the Medtronic Valleylab energy products. The
vulnerabilities are self-reported. Medtronic has patches available to mitigate
the vulnerability.
The four reported vulnerabilities are:
• Use of hard-coded credentials - CVE-2019-13543;
• Reversible one-way hash - CVE-2019-13539;
and
• Improper input validation (2) - CVE-2019-3464,
and CVE-2019-3463.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to overwrite files or
remotely execute code, resulting in a remote, non-root shell on the affected
products. By default, the network connections on these devices are disabled.
Additionally, the Ethernet port is disabled upon reboot. However, it is known
that network connectivity is often enabled.
Philips Update
This update
provides new information for and advisory that was originally reported on April
30th, 2019.
The new information includes:
• Revised (increased) overall CVSS score;
• Information exposure
vulnerability added;
• Added Tasy WEbPortal to affected
product list;
• Added Trabalho Médico IT
Department as a vulnerability reporter; and
• Reported that a new version
mitigates the vulnerabilities.
Posts
No comments:
Post a Comment