Showing posts with label Crestron. Show all posts
Showing posts with label Crestron. Show all posts

Tuesday, January 23, 2024

Review – 6 Advisories Published – 1-23-24

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Lantronix, Westermo, Voltronic Power, Crestron, and APsystems, and one medical device security advisory for products from Orthanc.

Advisories

Lantronix Advisory - This advisory describes a weak encoding for passwords vulnerability in the Lantronix XPort Device Server Configuration Manager.

Westermo Advisory - This advisory describes eight vulnerabilities in the Westermo Lynx 206-F2G layer-three industrial Ethernet switch.

Voltronic Advisory - This advisory describes four vulnerabilities in the Voltronic ViewPower Pro Uninterruptable Power Supply (UPS) management software.

APsystems Advisory - This advisory describes an improper access control vulnerability in the APsystems Energy Communication Unit (ECU-C) Power Control Software.

Orthanc Advisory - This advisory describes a cross-site scripting vulnerability in the Orthanc Osimis Web Viewer.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-1-23-24 - subscription required.

Posted by at No comments:
Labels: , , , , , ,

Thursday, August 9, 2018

ICS-CERT Publishes Two Advisories


Today the DHS ICS-CERT published two control system security advisories for products from NetComm and Crestron.

NetComm Advisory


This advisory describes four vulnerabilities in the NetComm 4G LTE Light Industrial M2M Router. The vulnerabilities were reported by Aditya K. Sood. NetComm has new firmware that mitigates the vulnerabilities. There is no indication that Sood has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Information exposure - CVE-2018-14782;
• Cross-site request forgery - CVE-2018-14783;
• Cross-site scripting - CVE-2018-14784; and
Information exposure through directory listing - CVE-2018-14785

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for the exposure of sensitive information.

Crestron Advisory


This advisory describes four vulnerabilities in the Crestron TSW-X60 and MC3 products. The vulnerabilities were independently reported by Jackson Thuraisamy (via Security Compass) and Ricky “HeadlessZeke” Lawshae (via the Zero Day Initiative). Crestron has firmware versions available that mitigate the vulnerabilities. There is no indication that either researcher has been offered an opportunity to verify efficacy of the fix.

The four reported vulnerabilities are:

• OS command injection (2) - CVE-2018-11228 and CVE-2018-11229);
• Improper access control - CVE-2018-10630; and
• Insufficiently protected credentials - CVE-2018-13341

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution with escalated system privileges.

NOTE: Is it just me or does it seem odd that the same vulnerabilities are found in a touch-screen device and a control system processor controller?

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)
 
/* Use this with templates/template-twocol.html */