Today the CISA NCCIC-ICS published two control system
security advisories for products from Emerson and Opto 22. They also updated a
previously issued advisory for products from 3S.
Emerson Advisory
This advisory
describes an improper access control vulnerability in the Emerson WirelessHART
Gateways. The vulnerability is self-reported. Emerson has updated firmware that
mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to disable the internal gateway
firewall. Once the gateway's firewall is disabled, a malicious user could issue
specific commands to the gateway, which could then be forwarded on to the end
user's wireless devices.
Opto 22 Advisory
This advisory
describes five vulnerabilities in the Opto 22 SoftPAC Project virtual PLC. The
vulnerabilities were reported by Mashav Sapir of Claroty. Opto 22 has a new
version that mitigates the vulnerabilities. There is no indication that Sapir
was provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• External control of file name or
path - CVE-2020-12042,
• Improper verification of
cryptographic signature - CVE-2020-12046,
• Improper access control - CVE-2020-10612,
• Uncontrolled search path element
- CVE-2020-10616, and
• Improper authorization - CVE-2020-10620
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow arbitrary file write access
with system access, start or stop service, allow remote code execution, and
limit system availability.
3S Update
This update
provides additional information on an advisory that was originally
published on August 1st, 2019. The new information includes a
link to a new version that mitigates the vulnerability. The publication of the
new version was originally projected for February 2020.
Posts
No comments:
Post a Comment