Today the CISA NCCIC-ICS published two control system
security advisories for products from Rockwell Automation and Emerson.
Rockwell Advisory
This advisory describes
two vulnerabilities in the Rockwell EDS Subsystem. The vulnerabilities were
reported by Sharon Brizinov and Amir Preminger (VP Research) of Claroty.
Rockwell has a patch available to mitigate the vulnerability. There is no
indication that the researchers have been provided an opportunity to verify the
efficacy of the fix.
The two reported vulnerabilities are:
• Improper restriction of
operations within the bounds of a memory buffer - CVE-2020-12038, and
• SQL injection - CVE-2020-12034
NCCIC-ICS reported that a relatively low-skilled attacker on
an adjacent network could exploit the vulnerabilities to lead to a denial-of-service condition.
Emerson Advisory
This advisory describes
three vulnerabilities in the Emerson OpenEnterprise SCADA Software. The vulnerabilities
were reported by Roman Lozko of Kaspersky. Emerson has an upgrade that
mitigates the vulnerabilities. There is no indication that Lozko has been
provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2020-10640,
• Improper ownership management - CVE-2020-10632,
and
• Inadequate encryption strength - CVE-2020-10636
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker access to
OpenEnterprise configuration services or access passwords for OpenEnterprise
user accounts.
Posts
No comments:
Post a Comment