Thursday, May 14, 2020

2 Advisories and 1 Update Published – 5-14-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Emerson and Opto 22. They also updated a previously issued advisory for products from 3S.

Emerson Advisory

This advisory describes an improper access control vulnerability in the Emerson WirelessHART Gateways. The vulnerability is self-reported. Emerson has updated firmware that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to disable the internal gateway firewall. Once the gateway's firewall is disabled, a malicious user could issue specific commands to the gateway, which could then be forwarded on to the end user's wireless devices.

Opto 22 Advisory

This advisory describes five vulnerabilities in the  Opto 22 SoftPAC Project virtual PLC. The vulnerabilities were reported by Mashav Sapir of Claroty. Opto 22 has a new version that mitigates the vulnerabilities. There is no indication that Sapir was provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• External control of file name or path - CVE-2020-12042,
• Improper verification of cryptographic signature - CVE-2020-12046,
• Improper access control - CVE-2020-10612,
• Uncontrolled search path element - CVE-2020-10616, and
• Improper authorization - CVE-2020-10620

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow arbitrary file write access with system access, start or stop service, allow remote code execution, and limit system availability.

3S Update

This update provides additional information on an advisory that was originally published on August 1st, 2019. The new information includes a link to a new version that mitigates the vulnerability. The publication of the new version was originally projected for February 2020.

No comments:

/* Use this with templates/template-twocol.html */