Thursday, April 2, 2020

1 Advisory Published – 4-2-20


Today the CISA NCCIC-ICS published a control system security advisory for products from B&R Automation.

B&R Advisory


This advisory describes three vulnerabilities in the B&R Automation Studio. The vulnerabilities were reported by Nadav Erez of Claroty. B&R has new versions that mitigate the vulnerabilities. There is no indication that Erez has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper privilege management - CVE-2019-19100;
• Missing required cryptographic step - CVE-2019-19101; and
• Path traversal - CVE-2019-19102

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  allow an attacker to delete arbitrary files from this system, fetch arbitrary files, or perform arbitrary write operations.

No comments:

 
/* Use this with templates/template-twocol.html */