Tuesday, February 18, 2020

4 Advisories and 1 Update Published – 2-18-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Emerson and Honeywell, two medical device security advisories for products from GE and Spacelabs, and 1 update for products from Interpeak.

Emerson Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Emerson OpenEnterprise SCADA Server. The vulnerability was reported by Roman Lozko of Kaspersky ICS CERT. Emerson has an upgrade that mitigates the vulnerability. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to allow an attacker to execute code on an OpenEnterprise SCADA Server.

Honeywell Advisory


This advisory describes a clear-text storage of sensitive information vulnerability in the Honeywell INNCOM INNControl 3 energy management platform. The vulnerability is self-reported. Honeywell has an upgrade available to mitigate the vulnerability.

NCCIC reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate user privileges within the INNControl application.

GE Advisory


This advisory describes a protection measure failure vulnerability in the GE Ultrasound Products. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of scip AG. GE has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit the vulnerability to allow an attacker to gain access to the operating system of affected devices.

Spacelabs Advisory


This advisory describes the BlueKeep vulnerability in the Spacelabs Xhibit Telemetry Receiver. Spacelabs has an updated version that mitigates the vulnerability.

NOTE: A number of other vendors in both the control system and medical device realms issued advisories on this vulnerability (see my blog post here for example) beginning in May of last year. This is the first acknowledgement of vendor actions on this vulnerability from NCCIC-ICS though there was an obscure advisory on the vulnerability published by NCCIC-ICS.

Interpeak Update


This update provides additional information on the Urgent/11 advisory that was originally published on October 1st, 2019 and most recently updated on December 10th, 2019. The new information includes a link to a vendor advisory from Mitsubishi.

Posted by at
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */