Today the CISA NCCIC-ICS published two control system
security advisories for products from Schneider and VISAM.
Schneider Advisory
This advisory describes
two vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS).
The vulnerabilities were reported by the Zero Day Initiative. Schneider has a
new version that mitigates the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The two reported vulnerabilities are:
• Path traversal - CVE-2020-7478;
• Missing authentication for critical
function - CVE-2020-7479
NCCIC-ICS reported that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow unauthorized access to
sensitive data and functions.
NOTE: I briefly
discussed these vulnerabilities earlier this month.
VISAM Advisory
This advisory describes
five vulnerabilities in the VISAM VBASE automation platform. The
vulnerabilities were reported by Gjoko Krstic of Applied Risk. VISAM has not
responded to NCCIC-ICS inquiries about these vulnerabilities.
The five reported vulnerabilities are:
• Relative path traversal - CVE-2020-7008;
• Incorrect default permissions - CVE-2020-7004;
• Inadequate encryption strength - CVE-2020-10601;
• Insecure storage of sensitive
information - CVE-2020-7000; and
• Stack-based buffer overflow - CVE-2020-10599
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to allow an attacker to read the
contents of unexpected files, escalate privileges to system level, execute
arbitrary code on the targeted system, bypass security mechanisms, and discover
the cryptographic key for the web login.
Posts
No comments:
Post a Comment