Tuesday, April 28, 2020

1 Advisory Published – 4-28-20

Today the CISA NCCIC-ICS published a control system security advisory for products from LCDS.

LCDS Advisory

This advisory describes two vulnerabilities in the LCDS LAquis SCADA. The vulnerabilities were reported by Natnael Samson via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerabilities. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Exposure of sensitive data to an unauthorized actor - CVE-2020-10618; and
• Improper input validation - CVE-2020-10622.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow unauthorized attackers to view sensitive information and create files in arbitrary locations.

No comments:

/* Use this with templates/template-twocol.html */