Tuesday, December 3, 2019

2 Advisories Published – 12-03-19

Today the CISA NCCIC-ICS published two control system security advisories for products from Moxa and Reliable Controls.

Moxa Advisory

This advisory describes 14 vulnerabilities in the Moxa AWK-3121 wireless access point. The vulnerabilities were reported by Samuel Huntley. This product has reached end-of-life and is no longer supported.

The 14 reported vulnerabilities are:

• Cleartext transmission of sensitive information (3) - CVE-2018-10690, CVE-2018-10694 and CVE-2018-10698;
• Sensitive cookie without ‘HTTPONLY’ flag - CVE-2018-10692;
• Improper restriction of operations within the bounds of a memory buffer (4) - CVE-2018-10693, CVE-2018-10695, CVE-2018-10701 and CVE-2018-10703;
• Cross-site request forgery - CVE-2018-10696;
• Command injection (3) - CVE-2018-10697, CVE-2018-10699 and CVE-2018-10702; and
• Cross-site scripting - CVE-2018-10700;

NCCIC-ICS reports that a relatively low-skilled attacker could remotely use publicly available exploits to allow an attacker to view sensitive information, cause availability issues, and execute remote code.

Reliable Controls Advisory

This advisory describes an unquoted search path or element vulnerability in the Reliable Controls License Manager. The vulnerability was reported by Gjoko Krstic of Applied Risk. Reliable Controls has a new version that mitigates the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to crash the system, view sensitive data, or execute arbitrary commands.

NOTE: Both of these product vulnerabilities were publicly reported back in June by the listed researcher. It appears that in at least one of the cases (probably both) the vendor did not reply or adequately address the researchers concerns even after there was public disclosure. The researchers then apparently turned to NCCIC-ICS for assistance.

No comments:

/* Use this with templates/template-twocol.html */