Today the CISA NCCIC-ICS published one control system security advisory for products from Advantech, a medical device security advisory for products from Philips, and updated an advisory for products from WIBU-Systems.
Advantech Advisory
This advisory describes an incorrect permission assignment for critical resource vulnerability in the Advantech WebAccess Node HMI platform. The vulnerability was reported by Mat Powell via the Zero Day Initiative. Advantech has a new update that mitigates the vulnerability. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate their privileges.
Philips Advisory
This advisory describes five vulnerabilities in the Philips Clinical Collaboration Platform. The vulnerabilities were reported by Northridge Hospital Medical Center. Philips has a patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Cross-site request forgery - CVE-2020-14506,
• Improper neutralization of script
in attributes in a web page - CVE-2020-14525,
• Protection mechanism failure - CVE-2020-16198,
• Algorithm downgrade - CVE-2020-16200,
and
• Configuration - CVE-2020-16247
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to trick a user into executing unauthorized actions or provide the attacker with identifying information that could be used for subsequent attacks.
WIBU-Systems Update
This update provides additional information on an advisory that was originally published on September 8th, 2020. The new information includes:
• Affected version information,
• Links to additional affected vendor advisories for:
◦ CODESYS,
◦ PILZ,
◦ Phoenix Contact,
and
◦ WAGO
NOTE: I identified all but the CODESYS advisory in
a post last weekend. In addition, I also noted that ABB published four
CodeMeter advisories.
Posts
No comments:
Post a Comment