Today the CISA NCCIC-ICS published four control system security
advisories for products from Mitsubishi Electric (3) and Inductive Automation.
They also published a medical device security advisory for products from
Philips.
Factory Automation Advisory #1
This advisory
describes an unquoted search path or element vulnerability in the Mitsubishi Factory
Automation Engineering products. The vulnerability was reported by Mashav Sapir
of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There
is no indication that Sapir has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
attacker to obtain unauthorized information, modify information, and cause a
denial-of-service condition.
Factory Automation Advisory #2
This advisory
describes a path traversal vulnerability in the Mitsubishi Factory Automation
products. The vulnerability was reported by Mashav Sapir of Claroty. Mitsubishi
has new versions that mitigate the vulnerability. There is no indication that
Sapir has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to may allow an attacker to obtain
unauthorized information, tamper the information, and cause a denial-of-service
condition.
Factory Automation Advisory #3
This advisory
describes a permissions issue vulnerability in the Mitsubishi Factory
Automation Engineering Software products. The vulnerability was reported by Younes
Dragoni of Nozomi Networks, the Applied Risk research team, and Mashav Sapir of
Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is
no indication that researchers have been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to enable the reading of arbitrary files,
cause a denial-of-service condition, and allow execution of a malicious binary.
Inductive Automation Advisory
This advisory
describes a missing authorization vulnerability in the Inductive Automation Ignition
8 product. The vulnerability was reported by Mashav Sapir of Claroty. Inductive
Automation has a new version that mitigates the vulnerability. There is no indication
that Sapir has been provided an opportunity to verify the efficacy of the fxi.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to gain access to
sensitive information.
Philips Advisory
This advisory
describes an insertion of sensitive information into log file vulnerability in
the Philips DreamMapper mobile application. The vulnerability was reported by Lutz
Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research
& Consulting. Philips plans a new release to mitigate the vulnerability by
June of next year.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker access to the log
file information containing descriptive error messages.
Posts
No comments:
Post a Comment