Thursday, May 21, 2020

2 Advisories Published – 5-21-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Schneider Electric and Johnson Controls.

Schneider Advisory

This advisory describes five vulnerabilities in the Schneider EcoStruxure Operator Terminal Expert. The vulnerabilities were reported by Sharon Brizinov and Amir Preminger of Claroty Research (via the Zero Day Initiative), Steven Seeley and Chris Anastasio of Incite Team (via ZDI), and Fredrik Østrem, Emil Sandstø, and Cim Stordal of Cognite. Schneider has an update that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• SQL Injection - CVE-2020-7493,
• Path traversal (3) - CVE-2020-7494, CVE-2020-7495 and CVE-2020-7497, and
• Argument injection - CVE-2020-7496

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could use publicly available code to exploit the vulnerabilities to allow unauthorized write access or remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

Johnson Controls Advisory

This advisory describes a cleartext storage of sensitive information vulnerability in Sensormatic Electronics (subsidiary of Johnson Controls) video management systems. The vulnerability is self-reported. Johnson Controls has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to access credentials used for access to the application.

No comments:

/* Use this with templates/template-twocol.html */