Today the CISA NCCIC-ICS published three control system and
one medical device security advisories for products from HMS Network, FATEK
Automation, AVEVA, and Philips.
HMS Advisory
This advisory
describes a permissive cross-domain policy with untrusted domains vulnerability
in the HMS Ewon Flexy and Cosy products. The vulnerability was reported by Parth
Srivastava of Protiviti India Member Private Limited. HMS has updated firmware
that mitigates the vulnerability. There is no indication that Srivastava has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to allow attackers
to retrieve limited confidential information.
FATEK Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the FATEK PLC
WinProladder. The vulnerability was reported by Natnael Samson via the Zero Day
Initiative. FATEK has not responded to NCCIC-ICS about this vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to crash the device
being accessed; a buffer overflow condition may cause a denial-of-service event
and remote code execution.
AVEVA Advisory
This advisory
describes an SQL injection vulnerability in the AVEVA Enterprise Data
Management Web. The vulnerability was reported by Yuri Kramarz of Cisco Talos.
AVEVA has an upgrade that mitigates the vulnerability. The AVEVA
advisory notes that Kramzrz has verified the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow a remote attacker to execute
arbitrary SQL commands on the affected device.
Philips Advisory
This advisory
describes eight vulnerabilities in the Philips Patient Information Center iX (PICiX);
PerformanceBridge Focal Point; IntelliVue Patient Monitor products. The vulnerabilities
were reported by Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research
GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH via BSI. Philips
plans on releasing updates over the next year.
The eight reported vulnerabilities are:
• Improper neutralization of
formula elements in a CSV file - CVE-2020-16214,
• Cross-site scripting - CVE-2020-16218,
• Improper authentication - CVE-2020-16222,
• Improper check for certificate
revocation - CVE-2020-16228,
• Improper handling of length
parameter inconsistency - CVE-2020-16224,
• Improper validation of syntactic correctness
of input - CVE-2020-16220,
• Improper input validation - CVE-2020-16216,
and
• Exposure of resource to wrong sphere
- CVE-2020-16212
NCCIC-ICS reports that a relatively low-skilled attacker
with either physical access to surveillance stations and patient monitors or
access to the medical device network could exploit the vulnerabilities to allow
unauthorized access, interrupted monitoring, and collection of access
information and/or patient data.
Posts
No comments:
Post a Comment