Today the CISA NCCIC-ICS published one control system security advisory for products from National Instruments. They also updated two advisories for products from Wibu-Systems and WECON.
National Instruments Advisory
This advisory describes an incorrect permission assignment for critical resource vulnerability in the National Instruments CompactRIO real-time embedded industrial controller. The vulnerability was reported by Titanium Industrial Security via Incibe CERT. National Instruments has a new driver that mitigates the vulnerability. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to reboot the device remotely.
CodeMeter Update
This update provides additional information on an advisory that that was originally published on September 8th, 2020 and most recently updated on October 15th, 2020. The new information includes links to vendor advisories for products from:
• Eaton,
and
• TRUMPF
NOTE: I briefly discussed the Eaton advisory back in early October and the TRUMPF advisory later that month. NCCIC-ICS has not yet mentioned the ENDRESS+HAUSER advisory that I mentioned in the same blog post as the TRUMPF advisory.
WECON Update
This update provides additional information on an advisory that was originally published on August 25, 2020 and most recently updated on October 29th, 2020. The new information includes:
• Adding a new vulnerability (heap-based
buffer overflow - CVE-2020-25199), and
• Adding a new reporting researcher
(Peter Cheng from Elex Cybersecurity Inc)
No comments:
Post a Comment