Thursday, November 5, 2020

2 Advisories and 2 Updates Published – 11-5-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi and WECON. They also updated two advisories for products from Mitsubishi.

Mitsubishi Advisory

This advisory describes six vulnerabilities in the Mitsubishi GT14 model of GOT1000 Series graphic operation terminal. The vulnerabilities were self-reported. Mitsubishi has a new Core OS version that mitigates the vulnerability.

The six reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-5644,

• Session fixation - CVE-2020-5645,

• Null pointer dereference - CVE-2020-5646,

• Improper access control - CVE-2020-5647,

• Argument injection - CVE-2020-5648, and

• Resource management errors - CVE-2020-5649

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in a denial-of-service condition or code execution.

WECON Advisory

This advisory describes two vulnerabilities in the WECON PLC Editor. The vulnerabilities were reported by Natnael Samson and Francis Provencher via the Zero Day Initiative. WECON is working on a solution to the vulnerabilities.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-25177, and

• Heap-based buffer overflow- CVE-2020-25181

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

MELSEC iQ-R Update

This update provides additional information on an advisory that was originally published on June 9th, 2020 and most recently updated on June 16th, 2020. The new information includes updated affected version and mitigation information for:

• R08/16/32/120PCPU,

• R08/16/32/120PSFCPU, and

• RJ71EN71

Factory Automation Update

This update provides additional information on an advisory that was originally published on July 30th, 2020. The new information includes updated affected version and mitigation information for:

• Data Transfer,

• GT Designer3 Version1 (GOT1000),

• GT Designer3 Version1 (GOT2000),

• GT SoxGOT1000 Version3,

• GT SoxGOT2000,

• MX MESInterface, and

• MX MESInterface-R

NOTE: the actual mitigation information is not available on the NCCIC-ICS advisory but it is available on the Mitsubishi advisory. NCCIC-ICS added: “Please refer to the Mitsubishi Electric website for details on available patches.”

No comments:

 
/* Use this with templates/template-twocol.html */