Thursday, September 17, 2020

2 Advisories and 1 Update Published – 9-17-20

 Today the CISA NCCIC-ICS published one control system security advisory for products from Advantech, a medical device security advisory for products from Philips, and updated an advisory for products from WIBU-Systems.

Advantech Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the Advantech WebAccess Node HMI platform. The vulnerability was reported by Mat Powell via the Zero Day Initiative. Advantech has a new update that mitigates the vulnerability. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate their privileges.

Philips Advisory

This advisory describes five vulnerabilities in the Philips Clinical Collaboration Platform. The vulnerabilities were reported by Northridge Hospital Medical Center. Philips has a patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Cross-site request forgery - CVE-2020-14506,

• Improper neutralization of script in attributes in a web page - CVE-2020-14525,

• Protection mechanism failure - CVE-2020-16198,

• Algorithm downgrade - CVE-2020-16200, and

• Configuration - CVE-2020-16247

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to trick a user into executing unauthorized actions or provide the attacker with identifying information that could be used for subsequent attacks.

WIBU-Systems Update

This update provides additional information on an advisory that was originally published on September 8th, 2020. The new information includes:

• Affected version information,

• Links to additional affected vendor advisories for:

CODESYS,

PEPPERL+FUCHS,

PILZ,

Phoenix Contact, and

WAGO

NOTE: I identified all but the CODESYS advisory in a post last weekend. In addition, I also noted that ABB published four CodeMeter advisories.

No comments:

 
/* Use this with templates/template-twocol.html */