Thursday, December 10, 2020

3 Advisories Published – 12-10-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Host Engineering and Mitsubishi Electric. They also published a medical device security advisory for products from Medtronic.

Host Advisory

This advisory describes an improper input validation vulnerability in the Host ECOM100 Module. The vulnerability was reported by Uri Katz of Claroty. Host has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to lead to a denial-of-service condition, forcing an operator to manually restart the device.

Mitsubishi Advisory

This advisory describes an improper check or handling of exceptional conditions vulnerability in the Mitsubishi MELSEC iQ-F Series CPU modules. The vulnerability is self-reported. Mitsubishi has newer firmware that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device to enter a denial-of-service condition, and a reset of the CPU module is required for recovery.

NOTE: NCIC-ICS did not provide the link to the Mitsubishi advisory.

Medtronic Advisory

This advisory describes three vulnerabilities in the Medtronic MyCareLink Smart Patient Reader. The vulnerabilities were initially reported by Sternum. Medtronic has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2020-25183,

• Heap-based buffer overflow - CVE-2020-25187, and

• Time-of-check time-of-use race condition - CVE-2020-27252

NCCIC-ICS reports that a relatively low-skilled attacker with adjacent (Bluetooth range) access could exploit the vulnerability to result in the attacker being able to modify or fabricate data from the implanted cardiac device being uploaded to the CareLink Network and remotely execute code on the MCL Smart Patient Reader device, which could allow control of a paired cardiac device.

No comments:

 
/* Use this with templates/template-twocol.html */