Tuesday, December 1, 2020

1 Advisory Published – 12-1-20

Today the CISA NCCIC-ICS published one control system security advisory for products from Schneider.

Schneider Advisory

This advisory describes an improper privilege management vulnerability in the Schneider EcoStruxure Operator Terminal Expert product. The vulnerability was reported by Lasse Trolle Borup, Danish Cyber Defence. Schneider has a new version that mitigates the vulnerability. There is no indication that Borup has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow unauthorized command execution by a local user of the Windows engineering workstation, which could result in loss of availability, confidentiality, and integrity of the workstation where EcoStruxure Operator Terminal Expert runtime is installed.

NOTE: I briefly discussed this vulnerability early last month.

No comments:

 
/* Use this with templates/template-twocol.html */