Today the CISA NCCIC-ICS published a control system security advisory for products from Schneider.
This advisory describes four improper restrictions of operation within the bounds of a memory buffer in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by Kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that that Kimiya has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability in way that could result in remote code execution.
Other Schneider Advisories
Schneider published
this vulnerability on Tuesday. They also published two other new advisories and
updated two previously published advisories. I will discuss these advisories
this weekend.
No comments:
Post a Comment