Tuesday, August 25, 2020

3 Advisories Published – 8-25-20


Today the CISA NCCIC-ICS published three control system security advisories for products from WECON, Emerson, and Advantech.

WECON Advisory


This advisory describes a stack-based buffer overflow vulnerability in the WECON LeviStudioU. The vulnerabilities (see note below) were reported by Natnael Samson via the Zero Day Initiative. WECONis working on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

NOTE: As I noted last Saturday, Samson reported 22 separate (ZDI-20-1055 thru ZDI-20-1076) stack-based buffer overflow vulnerabilities in this product. NCCIC-ICS lumped the ‘multiple buffer overflow vulnerabilities’ into a single CVE CVE-2019-16243. Samson’s ZDI reports provide the name of each of the affected modules of the program. The ZDI advisories also note that in order to exploit the vulnerabilities an authenticated user must “visit a malicious page or open a malicious file”, presumably this would require a social engineering attack.

Emerson Advisory


This advisory describes an inadequate encryption strength vulnerability in the Emerson OpenEnterprise SCADA Software. The vulnerability was reported by Roman Lozko of Kaspersky. Emerson has a new service pack that mitigates the vulnerability. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker access to credentials held by OpenEnterprise used for accessing field devices and external systems.

Advantech Advisory


This advisory describes a path traversal vulnerability in the Advantech iView device management application. The vulnerability was reported by KPC via ZDI. Advantech has a new version that mitigates the vulnerability. There is no indication that KPC has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application.

Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */