Tuesday, March 24, 2020

2 Advisories Published – 3-24-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Schneider and VISAM.

Schneider Advisory

This advisory describes two vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2020-7478;
• Missing authentication for critical function - CVE-2020-7479

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow unauthorized access to sensitive data and functions.

NOTE: I briefly discussed these vulnerabilities earlier this month.

VISAM Advisory

This advisory describes five vulnerabilities in the VISAM VBASE automation platform. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. VISAM has not responded to NCCIC-ICS inquiries about these vulnerabilities.

The five reported vulnerabilities are:

• Relative path traversal - CVE-2020-7008;
• Incorrect default permissions - CVE-2020-7004;
• Inadequate encryption strength - CVE-2020-10601;
• Insecure storage of sensitive information - CVE-2020-7000; and
• Stack-based buffer overflow - CVE-2020-10599

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read the contents of unexpected files, escalate privileges to system level, execute arbitrary code on the targeted system, bypass security mechanisms, and discover the cryptographic key for the web login.

No comments:

/* Use this with templates/template-twocol.html */