Saturday, November 30, 2019

Public ICS Disclosures – Week of 11-23-19


This week we have two vendor disclosures from Drager and Moxa. We also have two possible 0-day exploits for products from AVEVA.

Drager Advisory


Drager published an advisory describing two vulnerabilities in their SC Monitoring product line. The vulnerabilities were reported by Jeroen Slobbe and Max Grim. The products have reached end-of-life and no mitigation measures are being offered by Drager.

The two reported vulnerabilities are:

• Denial of service; and
• Hard-coded credentials

Moxa Advisory


Moxa published an advisory concerning the URGENT/11 vulnerabilities. They report that none of their products are affected.

AVEVA Exploits


Chuyreds published exploit code for a denial of service vulnerability in the AVEVA InTouch Machine. There is no report of a CVE number or vendor coordination in the document so this may be a 0-day vulnerability.

Chuyreds published exploit code for a denial of service vulnerability in the AVEVA InduSoft Web Studio. There is no report of a CVE number or vendor coordination in the document so this may be a 0-day vulnerability.

NOTE: The exploits look very similar, so this probably reflects a common vulnerability in the two products. I do not see an AVEVA advisory for the two products with a similar vulnerability.

No comments:

 
/* Use this with templates/template-twocol.html */