Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell Automation and Datakit Libraries.
Rockwell Advisory
This advisory describes a channel accessible by non-endpoint vulnerability in the Rockwell Micro800, MicroLogix 1400 controllers. The vulnerability was reported by Hyunguk Yoo from The University of New Orleans, as well as Adeen Ayub and Irfan Ahmed from Virginia Commonwealth University. Rockwell provides generic work arounds for the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker can remotely exploit the vulnerability to may result in denial-of-service conditions, which may require a firmware flash to recover.
NOTE: The Rockwell advisory recommends blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. This is not mentioned in the NCCIC-ICS guidance.
DataKit Advisories
This advisory describes five vulnerabilities in the DataKit Software libraries embedded in Luxion KeyShot software. The vulnerabilities were reported by rgod via the Zero Day Initiative. DataKit has a new version that mitigates the vulnerabilities and Luxion has a new version that contains the new DataKit version.
The five reported vulnerabilities are:
• Out-of-bounds write - CVE-2021-27488,
• Improper restrictions on XML
external entity reference - CVE-2021-27492,
• Stack-based buffer overflow - CVE-2021-27494,
• Untrusted pointer dereference - CVE-2021-27496,
and
• Out-of-bounds read - CVE-2021-27490
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to lead to
execution of arbitrary code and disclosure of arbitrary files to unauthorized
actors.
Posts
No comments:
Post a Comment