Thursday, June 10, 2021

3 Advisories Published – 6-10-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from AGG Software and Rockwell Automation. They also published a medical device security advisory for products from ZOLL.

AGG Advisory

This advisory describes two vulnerabilities in the AGG Web Server. The vulnerabilities were reported by Michael Heinzl. AGG has a new version that mitigates the vulnerabilities. There is no indication that Heinzl has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution and exposure of arbitrary system files.

Rockwell Advisory

This advisory describes a protection mechanism failure vulnerability in the Rockwell  FactoryTalk Services Platform. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name.

ZOLL Advisory

This advisory describes six vulnerabilities in the ZOLL Defibrillator Dashboard. The vulnerabilities were reported anonymously to CISA. ZOLL has new versions that mitigate the vulnerabilities.

The six reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2021-27489,

• Use of hard-coded cryptographic key - CVE-2021-27481,

• Cleartext storage of sensitive information - CVE-2021-27487,

• Cross-site scripting - CVE-2021-27479

• Storing passwords in a recoverable format - CVE-2021-27485, and

• Improper privilege management - CVE-2021-27483

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution, allow an attacker to gain access to credentials, or impact confidentiality, integrity, and availability of the application.

No comments:

 
/* Use this with templates/template-twocol.html */