Today the CISA NCCIC-ICS published two control system
security advisories for products from Mitsubishi Electric and Delta Industrial.
They also updated two advisories for products from Treck and Inductive
Automation.
Mitsubishi Advisory
This advisory
describes two vulnerabilities in the Mitsubishi Factory Automation Engineering
Software Products. The vulnerabilities are self-reported. Mitsubishi has new
versions that mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Improper restriction of XML
external entity reference - CVE-2020-5602, and
• Uncontrolled resource consumption
- CVE-2020-5603
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow a local attacker to send
files outside of the system as well as cause a denial-of-service condition.
NOTE: NCCIC-ICS did not provide a link to the Mitsubishi
advisory.
Delta Advisory
This advisory
describes two vulnerabilities in the Delta Industrial Automation DOPSoft HMI
editing software. The vulnerabilities were reported by Natnael Samson
(@NattiSamson) via the Zero Day Initiative. Delta expects to have a new version
to mitigate these vulnerabilities available next month (July).
The two reported vulnerabilities are:
• Out-of-bounds read - CVE-2020-10597,
and
• Heap-based buffer overflow - CVE-2020-14482
NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit these vulnerabilities to allow an attacker
to read/modify information, execute arbitrary code, and/or crash the
application.
Treck Update
This update
provides new information on an advisory that was originally
published on June 16th, 2020 and most
recently updated on June 18th, 2020. The new information
includes the addition of links to two new affected vendors’ advisories:
• CareStream
and
• Eaton
NOTE: I briefly mentioned
the Eaton advisory last Saturday.
Inductive Update
This update
provides new information on an advisory that was originally
published on May 26th, 2020 and most
recently updated on June 2nd, 2020. The new information includes:
• The addition of a new
vulnerability – missing authentication for critical function - CVE-2020-14479,
and
• A note that it will be corrected
in an expected future version update.
NOTE: There is no mention of the two updates listed above on
either the CISA Industrial
Control Systems landing page or the associated Recently Published page. Fortunately
ICS-CERT (ics-cert@ncas.us-cert.gov)
sent out email notifications and TWEETS® on the two updates.
Posts
No comments:
Post a Comment