Today the CISA NCCIC-ICS published one control system
security advisory for products from Systech Corporation and one medical device
security advisory for products from Insulet.
Systech Advisory
This advisory
describes a cross-site scripting vulnerability in the Systech NDS-5000 Terminal
Server. The vulnerability was reported by Murat Aydemir at Biznet Bilisim AS.
Systech has a new firmware version that mitigates the vulnerability. There is
no indication that Aydemir has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow information disclosure,
limit system availability, and may allow remote code execution.
Insulet Advisory
This advisory
describes an improper access control vulnerability int eh Insulet Omnipod Insulin
Management System. The vulnerability was reported by Thirdwayv Inc. Insulet
provides generic mitigation measures to address the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access (this is an RF intercept problem so – remote access?)
could use a publicly available exploit
to abuse (sorry, I did not want to repeat the word ‘exploit’; trying this on
for size) the vulnerability.
NOTE: It looks like this ‘exploit’ is being developed by an
unauthorized user group to expand the options for using the Insulet OmniPod
insulin pump.
Posts
No comments:
Post a Comment