Today, CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation, Aveva, and Advantech.
Rockwell Advisory - This advisory describes
an improper input validation vulnerability in the Rockwell CompactLogix,
Compact GuardLogix, ControlLogix, and GuardLogix controllers.
Aveva Advisory - This advisory describes
a relative path traversal vulnerability (with known exploit) in the AVEVA InTouch
Access Anywhere remote human machine interface (HMI) software.
NOTE: I briefly
discussed the exploit on November 13th, 2022.
Advantech Advisory - This advisory describes
an SQL injection vulnerability in the Advantech iView management software.
NOTE: I briefly discussed the Tenable report on October 1st, 2022.
Commentary
Neither AVEVA or Advantech has yet published an advisory for
their respective vulnerabilities even though exploit code has been available
for some time. On the plus side, both organizations have reportedly fixed their
respective vulnerabilities. But the question remains, how do organizations get
the information necessary to make the risk assessment necessary to determine
if/when they will update their control system to avoid possible exploits. If
companies are waiting for the NCCIC-ICS reports it may have already been too
late.
This is not a complaint about delays in CISA publishing
advisories, in both of these cases, CISA was notified about these
vulnerabilities by the respective vendors.
For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-12-8-22 - subscription required.
Posts
No comments:
Post a Comment