Today the CISA NCCIC-ICS published a control system security
advisory for products from Red Lion and updated a medical device security
advisory for products from OpenClinic GA.
Red Lion Advisory
This advisory
describes five vulnerabilities in the Red Lion N-Tron 702W series products. The
vulnerabilities were reported by Thomas Weber from SEC Consult Vulnerability Lab.
These products went out of support in 2018 and cannot be updated.
The five reported vulnerabilities are:
• Cross-site scripting - CVE-2020-16210
and CVE-2020-16206,
• Cross-site request forgery - CVE-2020-16208,
• Backdoor - CVE-2020-16204, and
• Use of unmaintained third-party
components - CVE-2017-16544
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to gain
unauthorized access to sensitive information, execute system commands, and perform
actions in the context of an attacked user.
NOTE: There are multiple proof-of-concept exploits available
for the last vulnerability, actually multiple vulnerabilities. Some of those
exploits of the BusyBox vulnerabilities can be found here, here and here.
OpenClinic Update
This update
provides additional information on an advisory that was originally
published on July 2nd, 2020. The new information includes three
CVE numbers for vulnerabilities covered under the single listed ‘use of
unmaintained third-party components vulnerability’; those CVE’s are
• CVE-2014-0114 (Apache
Struts, improper input validation, multiple exploits)
• CVE-2016-1181 (Apache
Struts, insufficient information, multiple exploits), and
• CVE-2016-1182 (Apache
Struts, improper input validation, multiple expoits)
Posts
No comments:
Post a Comment