Today the CISA NCCIC-ICS published two control system
security advisories for products from Rockwell Automation and OSIsoft as well
as a medical device security advisory for products from Philips.
Rockwell Advisory
This advisory
describes four vulnerabilities in the Rockwell FactoryTalk Linx Software. The
vulnerabilities were reported by Sharon Brizinov and Amir Preminger, of Claroty.
Rockwell has patches that mitigate the vulnerabilities. There is no indication
that the researchers have been provided an opportunity to verify the efficacy
of the fix.
The four reported vulnerabilities are:
• Improper input validation (2) - CVE-2020-11999
and CVE-2020-12001,
• Path traversal - CVE-2020-12003,
and
• Unrestricted upload of file of
dangerous type - CVE-2020-12005
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow an attacker to cause a
denial-of-service condition, obtain remote code execution, and read sensitive
information.
OSIsoft Advisory
This advisory
describes a cross-site scripting vulnerability in the OSIsoft PI Web API 2019.
The vulnerability was reported by Dor Yardeni and Eliad Mualem at OTORIO.
OSIsoft has a new service pack that mitigates the vulnerability. There is no indication
that the researchers have been provided an opportunity to verify the efficacy
of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow a remote authenticated attacker
with write access to a PI Server to trick a user into interacting with a PI Web
API endpoint that executes arbitrary JavaScript in the user’s browser,
resulting in view, modification, or deletion of data as allowed for by the
victim’s user permissions.
Philips Advisory
This advisory
describes an insertion of sensitive information into log file vulnerability in
the Philips IntelliBridge Enterprise
(IBE). Indiana University Health reported the vulnerability. Philips plans a
new release to mitigate the vulnerability in 4th Qtr 2020; meanwhile
they provide generic mitigation measures to address the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker with
uncharacterized access could exploit the vulnerability to allow an attacker to
access credentials to the hospital’s clinical information systems (EMR).
Posts
No comments:
Post a Comment