Thursday, December 8, 2022

Review – 3 Advisories Published – 12-8-22

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation, Aveva, and Advantech.

Rockwell Advisory - This advisory describes an improper input validation vulnerability in the Rockwell CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers.

Aveva Advisory - This advisory describes a relative path traversal vulnerability (with known exploit) in the AVEVA InTouch Access Anywhere remote human machine interface (HMI) software.

NOTE: I briefly discussed the exploit on November 13th, 2022.

Advantech Advisory - This advisory describes an SQL injection vulnerability in the Advantech iView management software.

NOTE: I briefly discussed the Tenable report on October 1st, 2022.


Neither AVEVA or Advantech has yet published an advisory for their respective vulnerabilities even though exploit code has been available for some time. On the plus side, both organizations have reportedly fixed their respective vulnerabilities. But the question remains, how do organizations get the information necessary to make the risk assessment necessary to determine if/when they will update their control system to avoid possible exploits. If companies are waiting for the NCCIC-ICS reports it may have already been too late.


This is not a complaint about delays in CISA publishing advisories, in both of these cases, CISA was notified about these vulnerabilities by the respective vendors.



For more details on these advisories, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */