Today the CISA NCCIC-ICS published two control system
security advisories for products from Emerson and Honeywell, two medical device
security advisories for products from GE and Spacelabs, and 1 update for
products from Interpeak.
Emerson Advisory
This advisory
describes a heap-based buffer overflow vulnerability in the Emerson OpenEnterprise
SCADA Server. The vulnerability was reported by Roman Lozko of Kaspersky ICS
CERT. Emerson has an upgrade that mitigates the vulnerability. There is no
indication that Lozko has been provided an opportunity to verify the efficacy
of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit this vulnerability to allow an attacker to execute code on an
OpenEnterprise SCADA Server.
Honeywell Advisory
This advisory
describes a clear-text storage of sensitive information vulnerability in the
Honeywell INNCOM INNControl 3 energy management platform. The vulnerability is
self-reported. Honeywell has an upgrade available to mitigate the vulnerability.
NCCIC reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to allow an attacker to
escalate user privileges within the INNControl application.
GE Advisory
This advisory
describes a protection measure failure vulnerability in the GE Ultrasound
Products. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of
scip AG. GE has provided generic workarounds to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with local access could exploit the vulnerability to allow an attacker to gain
access to the operating system of affected devices.
Spacelabs Advisory
This advisory
describes the BlueKeep
vulnerability in the Spacelabs Xhibit Telemetry Receiver. Spacelabs has an
updated version that mitigates the vulnerability.
NOTE: A number of other vendors in both the control system
and medical device realms issued advisories on this vulnerability (see my blog
post here
for example) beginning in May of last year. This is the first acknowledgement
of vendor actions on this vulnerability from NCCIC-ICS though there was an obscure
advisory on the vulnerability published by NCCIC-ICS.
Interpeak Update
This update
provides additional information on the Urgent/11
advisory that was originally
published on October 1st, 2019 and most
recently updated on December 10th, 2019. The new information
includes a link to a vendor advisory from Mitsubishi.
Posts
No comments:
Post a Comment