Today, CISA’s NCCIC-ICS published two control system security advisories for products from Zavio and INEA. They also updated an advisory for products from Mitsubishi Electric.
There is a discrepancy in the advisory numbers published today, the two advisories end in -03 and -02, CISA apparently skipped -01. While this could be an editorial mistake, it could mean that CISA published the ‘-01’ advisory to limited distribution on the Homeland Security Information Network (HSIN). This happens when CISA or the vendor has concerns about allowing critical infrastructure facilities a chance to mitigate a vulnerability before it is published. See the Baker Hughes advisory publicly published on February 24th, 2022.
Advisories
Zavio Advisory - This
advisory
describes five vulnerabilities in a number of Zavio IP Cameras.
INEA Advisory - This advisory describes two vulnerabilities in the INEA ME RTU.
Updates
Mitsubishi Update -
This update
provides additional information on an advisory that was originally published on
July 27th, 2023 and most recently updated on August 3rd,
2023.
For more details about these advisories, including links to
researcher reports with POC and a down-the-rabbit-hole look at CISA coordination
efforts, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-7b1
- subscription required.
Posts
No comments:
Post a Comment