Tuesday, May 5, 2020

2 Advisories Published – 5-5-20

Today the CISA NCCIC-ICS published two control system security advisories for products from SAE IT-systems and Fazecast.

SAE Advisory 

This advisory describes two vulnerabilities in the SAE FW-50 RTU modular telecontrol system. The vulnerabilities were reported by Murat Aydemir of Biznet Bilisim. SAE has a new CPU card that mitigates the vulnerability.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-10630; and
• Path traversal - CVE-2020-10634

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to execute remote code, disclose sensitive information, or cause a denial-of-service condition.

NOTE: Is it just me, or does replacing a CPU to fix a programming problem seem to be just a tiny bit of overkill?

Fazecast Advisory  

This advisory describes an uncontrolled search path element vulnerability in the Fazecast jSerialComm, a platform-independent serial port access library for Java. The advisory reports that this vulnerability (presumably as a third-party vuln) also affects the Schneider EcoStruxure IT Gateway (no Schneider advisory has been published yet). The vulnerability was reported by Ryan Wincey of Securifera via the Zero Day Initiative. Fazecast (and Schneider) has a new version that mitigates the vulnerability. There is no indication that Wincey has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an unauthenticated attacker to execute arbitrary code on a targeted system.

NOTE: It seems strange to see a library vulnerability advisory including the mention of an affected vendor on the day of the initial release. I suppose that Fazecast told either ZDI or NCCIC-ICS who their customers were so that NCCIC-ICS could contact them about the vulnerability. It will be interesting to see what (if) other vendors are using this Java library.

No comments:

/* Use this with templates/template-twocol.html */