Tuesday, May 26, 2020

2 Advisories Published – 5-26-20

Today the NCCIC-ICS published two control system security advisories for products from Johnson Controls and Inductive Automation.

Johnson Controls Advisory

This advisory describes an improper access control vulnerability in the Johnson Controls Kantech EntraPass software. This vulnerability is self-reported. Johnson Controls has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an relatively low-skilled attacker with uncharacterized access to allow an authorized low-privileged user to gain full system-level privileges.

Inductive Automation Advisory

This advisory describes three vulnerabilities in the Inductive Automation Ignition. The vulnerabilities were reported by Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley via the Zero Day Initiative. Inductive Automation has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-12004, and
• Deserialization of untrusted data (2) - CVE-2020-10644 and CVE-2020-12000

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain sensitive information and perform remote code execution with SYSTEM privileges.

No comments:

/* Use this with templates/template-twocol.html */