Thursday, December 5, 2019

2 Advisories Published – 12-05-19

Today the CISA NCCIC-ICS published two control system security advisories for products from Weidmueller and Thales.

Weidmueller Advisory

This advisory describes 5 vulnerabilities in the Weidmueller Industrial Ethernet Switches. The vulnerabilities are self-reported. Weidmueller has firmware patches that mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Improper restriction of excessive authentication attempts - CVE-2019-16670;
• Uncontrolled resource consumption - CVE-2019-16671;
• Missing encryption of sensitive data - CVE-2019-16672;
• Unprotected storage of credentials - CVE-2019-16673; and
• Predictable from observable state - CVE-2019-16674

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain unauthorized access to the device, affecting the confidentiality, integrity, and availability of the device the attacker is targeting.

Thales Advisory

This advisory describes a link following vulnerability in the Thales SafeNet Sentinel LDK License Manager Runtime. The vulnerability was reported by Ryan Wincey of Blizzard Entertainment. Thales has a new version that mitigates the vulnerability. There is no indication that Wincey has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit the vulnerability to allow a local attacker to escalate privileges.

NOTE: I briefly addressed this vulnerability back in October.

No comments:

/* Use this with templates/template-twocol.html */