Today CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi and Johnson Controls. They also updated three advisories for products from Mitsubishi, Schneider and multiple TCP/IP stack vendors.
Mitsubishi Advisory
This advisory describes two vulnerabilities in the Mitsubishi FA engineering software products. The vulnerabilities were reported by dliangfun. Mitsubishi has new versions that mitigate the vulnerabilities. There is no indication that dliangfun has been provided an opportunity to verify the efficacy.
The two reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2021-20587,
and
• Improper handling of length parameter inconsistency - CVE-2021-20588
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.
Johnson Controls Advisory
This advisory describes a path traversal vulnerability in the Johnson Controls Metasys Reporting Engine (MRE) Web Services. The vulnerability was reported by TIM Security Red Team Research. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote unauthenticated attacker to access and download arbitrary files from the system.
Mitsubishi Update
This update provides additional information on an advisory that was originally reported on October 8th, 2020 and most recently updated on October 29th, 2020. The new information includes adding updated affected version and mitigation information for R08/16/32/120PCPU.
Schneider Update
This update provides additional information on an advisory that was originally published on January 12th, 2020. The new information includes adding a link to the Schneider advisory.
Embedded TCP/IP Stacks Update
This update
provides additional information on an advisory that was originally
published on February 11th, 2021. The new information includes
adding mitigation measures for FNET.
No comments:
Post a Comment