Today the CISA NCCIC-ICS published two control system
security advisories for products from SAE IT-systems and Fazecast.
SAE Advisory
This advisory
describes two vulnerabilities in the SAE FW-50 RTU modular telecontrol system.
The vulnerabilities were reported by Murat Aydemir of Biznet Bilisim. SAE has a
new CPU card that mitigates the vulnerability.
The two reported vulnerabilities are:
• Cross-site scripting - CVE-2020-10630;
and
• Path traversal - CVE-2020-10634
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to allow an attacker to execute remote
code, disclose sensitive information, or cause a denial-of-service condition.
NOTE: Is it just me, or does replacing a CPU to fix a programming
problem seem to be just a tiny bit of overkill?
Fazecast Advisory
This advisory
describes an uncontrolled search path element vulnerability in the Fazecast jSerialComm,
a platform-independent serial port access library for Java. The advisory
reports that this vulnerability (presumably as a third-party vuln) also affects
the Schneider EcoStruxure IT Gateway (no Schneider
advisory has been published yet). The vulnerability was reported by Ryan
Wincey of Securifera via the Zero Day Initiative. Fazecast (and Schneider) has
a new version that mitigates the vulnerability. There is no indication that Wincey
has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
unauthenticated attacker to execute arbitrary code on a targeted system.
NOTE: It seems strange to see a library vulnerability advisory
including the mention of an affected vendor on the day of the initial release.
I suppose that Fazecast told either ZDI or NCCIC-ICS who their customers were
so that NCCIC-ICS could contact them about the vulnerability. It will be
interesting to see what (if) other vendors are using this Java library.
Posts
No comments:
Post a Comment