Today the CISA NCCIC-ICS published a control system security
advisory for products from B&R Automation.
B&R Advisory
This advisory
describes three vulnerabilities in the B&R Automation Studio. The
vulnerabilities were reported by Nadav Erez of Claroty. B&R has new
versions that mitigate the vulnerabilities. There is no indication that Erez
has been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Improper privilege management - CVE-2019-19100;
• Missing required cryptographic
step - CVE-2019-19101; and
• Path traversal - CVE-2019-19102
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to delete arbitrary files
from this system, fetch arbitrary files, or perform arbitrary write operations.
Posts
No comments:
Post a Comment