Today the CISA NCCIC-ICS published two control system
security advisories for products from Schneider Electric.
Magelis HMI Panel Advisory
This advisory
describes an improper check for unusual or exceptional conditions vulnerability
in the Schneider Magelis HMI Panel. The vulnerability was reported by VAPT
Team, C3i Center. Schneider has provided generic workarounds to mitigate the
vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a denial-of-service
condition.
NOTE: I
briefly discussed this vulnerability last August.
Modicon Ethernet Serial RTU Advisory
This advisory
describes three vulnerabilities in the Schneider Modicon BMXNOR0200H
Ethernet/Serial RTU module. The vulnerability was reported by VAPT Team, C3i
Center. Schneider has provided generic workarounds to mitigate the
vulnerability.
The three reported vulnerabilities are:
• Improper check for unusual or
exception conditions (2) - CVE-2019-6813 and CVE-2019-6831; and
• Improper access control - CVE-2019-6810
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow remote code execution or
cause a denial-of-service condition.
NOTE: I
briefly discussed this vulnerability last August.
Other Schneider Advisories
While NCCIC-ICS was covering these two 5-month old
vulnerability reports, Schneider was
publishing three new advisories this week. I will cover them this weekend.
Posts
No comments:
Post a Comment