Today the CISA NCCIC-ICS published a control system security advisory for products from SHUN HU Technology.
SHUN HU Advisory
This advisory describes two vulnerabilities in the SHUN HU JUUKO Industrial Radio Remote Control system. The vulnerabilities were reported by Marco Balduzzi, Philippe Z Lin, Federico Maggi, Jonathan Andersson, Akira Urano, Stephen Hilt, and Rainer Vosseler via the Zero Day Initiative. SHUN HU has a new firmware version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Authentication bypass by capture
replay - CVE-2018-17932, and
• Command injection - CVE-2018-19025
NCCIC-ICS reports that a relatively low-skilled attacker
with access to an adjacent network could exploit this vulnerability to allow
attackers to replay commands, control the device, view commands, and/or stop
the device from running.
Posts
No comments:
Post a Comment