Yesterday the CISA NCCIC-ICS published three controls system security advisories and updated one medical device security advisory.
Hitachi ABB Power Grids Advisory
This advisory describes an infinite loop vulnerability in the Hitachi ABB Power Grids AFS Series. This is a third-party (Belden) vulnerability that I briefly described in February. The vulnerability is self-reported. Hitachi ABB Power Grids has updates available that mitigate the vulnerability.
The NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a denial-of-service condition on one of the ports in a HSR ring.
GE Grid Advisory
This advisory describes ten vulnerabilities in the GE Grid UR family of advanced protection and control relays. The vulnerabilities were reported by SCADA-X, DOE CyTRICS program, Verve Industrial, and VuMetric. GE Grid has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The ten reported vulnerabilities are:
• Inadequate encryption strength
(2) - CVE-2016-2183 (TLS/SSL/IPsec vulnerability) and CVE-2013-2566 (TLS/SSL
vulnerability),
• Session fixation - CVE-1999-1085
(SSH vulnerability),
• Exposure of sensitive information
to an unauthorized actor (2) - CVE-2021-27422 and CVE-2021-27424,
• Improper input validation - CVE-2021-27418
and CVE-2021-27420,
• Unrestricted upload of file with
dangerous type - CVE-2021-27428,
• Insecure default variable
initialization - CVE-2021-27426, and
• Use of hard-coded credentials - CVE-2021-27430
NOTE 1: There are a large number of third-party vendor advisories for the first two CVEs over the years, but no published exploits.
NOTE 2: Those first three OLD vulnerabilities certainly help make a case for the use of a software bill of materials.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.
Advantech Advisory
This advisory describes a cross-site scripting vulnerability in the Advantech WebAccess/SCADA. The vulnerability was reported by Chizuru Toyama of TXOne IoT/ICS Security Research Labs. Advantech has a new version that mitigates the vulnerability. There is no indication that Toyama has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an unauthorized user to steal a user’s cookie/session token or redirect an authorized user to a malicious webpage.
BD Update
This update provides additional information on an advisory that was was originally published on February 7th, 2017 and most recently updated on October 19th, 2017. The new information includes:
• Rewriting Risk Evaluation
section,
• Adding Alaris 8015 PC unit,
Versions 9.33, to the list of affected products,
• Rewriting description of
CVE-2016-8375 vulnerability,
• Rewriting description of CVE-2016-9355
vulnerability, and
• Rewriting compensating controls
descriptions
No comments:
Post a Comment