Tuesday, June 15, 2021

2 Advisories and 1 Update Published – 6-15-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Automation Direct and ThroughTek. They also updated a medical device security advisory for products from OpenClinic.

Automation Direct Advisory

This advisory describes five vulnerabilities in the Automation Direct CLICK PLC CPU modules. The vulnerabilities were reported by Irfan Ahmed and Adeen Ayub of Virginia Commonwealth University and Hyunguk Yoo of the University of New Orleans. Automation Direct has new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Authentication bypass using alternate path or channel - CVE-2021-32980, CVE-2021-32984, and CVE-2021-32986,

• Clear-text transmission of sensitive information - CVE-2021-32982, and

• Unprotected storage of credentials - CVE-2021-32978

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to log in as a currently or previously authenticated user or discover passwords for valid users.

ThroughTek Advisory

This advisory describes a clear-text transmission of sensitive information vulnerability in the ThroughTek P2P Software Development Kit (SDK). The vulnerability was reported by Nozomi Networks. ThroughTek has a new version that, along with certain setting manipulations, mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to permit unauthorized access to sensitive information, such as camera audio/video feeds.

OpenClinic Update

This update provides additional information on an advisory that was  originally published on July 2nd, 2020 and most recently updated on August 27th, 2020. The new information includes adding new version that mitigates the vulnerabilities.

NOTE: NCCIC-ICS forgot to refer to the previous update instead of the original version of the advisory in Section 2.

No comments:

 
/* Use this with templates/template-twocol.html */