Thursday, April 22, 2021

2 Advisories Published – 4-22-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Horner Automation.

Mitsubishi Advisory

This advisory describes an improper authentication vulnerability in the Mitsubishi GOT products. The vulnerability is self-reported. Mitsubishi provides generic mitigation measures pending development of an updated version.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access.

Horner Advisory

This advisory describes two vulnerabilities in the Horner Automation Cscape control system application programming software. The vulnerabilities were reported by Sharon Brizinov of Claroty. Horner has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2021-22678, and

• Improper access control - CVE-2021-22682

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow code execution in the context of the current process or locally escalate privileges.

No comments:

/* Use this with templates/template-twocol.html */