Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi and Johnson Controls.
Mitsubishi Advisory
This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC iQ-R Series modules. The vulnerability was reported by Yossi Reuven of SCADAfence. Mitsubishi plans to release a patch to mitigate the vulnerability. In the meantime, they have provided generic workarounds.
According to NCCIC-ICS a relatively low-skilled attacker could remotely exploit this vulnerability to result in a denial-of-service condition due to uncontrolled resource consumption.
NOTE: NCCIC-ICS did not provide a link to the Mitsubishi advisory.
Johnson Controls Advisory
This advisory describes an improper authorization vulnerability in the Johnson Controls American Dynamics victor Web Client. The vulnerability was reported by Joachim Kerschbaumer. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kerschbaumer has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with access to an adjacent network could exploit the vulnerability to allow a
remote unauthenticated attacker to delete arbitrary files on the system or
render the system unusable through a denial-of-service attack.
No comments:
Post a Comment