Tuesday, November 3, 2020

3 Advisories Published – 11-3-20

Today the CISA NCCIC-ICS published three control system security advisories for products from ARC Informatique, NEXCOM, and WAGO.

ARC Advisory

This advisory describes three vulnerabilities in the ARC PcVue. The vulnerabilities were reported by Sergey Temnikov and Andrey Muravitsky of Kaspersky Lab. ARC has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2020-26867,

• Access to critical private variable via public method - CVE-2020-26868, and

• Information exposure of sensitive information to an unauthorized actor - CVE-2020-26869

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute arbitrary code, expose sensitive data, and prevent legitimate users from connecting to PcVue services.

NEXCOM Advisory

This advisory describes two vulnerabilities in the NEXCOM NIO 50 IoT Gateway. The vulnerabilities were reported by the Zero Day Initiative. NEXCOM no longer supports the NIO 50 product.

The two reported vulnerabilities are:

• Improper input validation - CVE-2020-25151, and

• Cleartext transmission of sensitive information - CVE-2020-25155

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to view sensitive information and cause a denial-of-service condition due to improper input validation.

WAGO Advisory

This advisory describes an uncontrolled resource consumption vulnerability. This vulnerability was reported by William Knowles of Applied Risk. WAGO has new firmware that mitigates the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to crash the device being accessed using a denial-of-service attack.

NOTE 1: I briefly discussed this vulnerability last Saturday.

NOTE 2: The researcher acknowledgement section of this advisory is a little confusing. William Knowles of Applied Risk reported the vulnerability via CERT@VDE.

Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */