Thursday, December 8, 2016

ICS-CERT Publishes Four Advisories

Today the DHS ICS-CERT published four control system security advisories for products from INTERSCHALT, Adcon, Sauter and Moxa.

INTERSCHALT Advisory


This advisory describes a path traversal vulnerability the INTERSCHALT Maritime Systems (INTERSCHALT) VDR G4e application. The vulnerability was reported by Maxim Rupp. INTERSCHALT has produced a patch to mitigate this vulnerability. ICS-CERT reports that Maxim has verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to read/download arbitrary files from the target host.

Adcon Advisory


This advisory describes a cross-site scripting vulnerability in the Adcon Telemetry A850 Telemetry Gateway Base Station. The vulnerability was reported by the Aditya K. Sood. Adcon has produced a new firmware version to mitigate the vulnerability. There is no indication that Sood has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow the injection of arbitrary JavaScript that may affect the integrity of the system.

Sauter Advisory


This advisory describes an authentication bypass vulnerability in the Sauter NovaWeb web HMI application. The vulnerability was reported by Maxim Rupp. The HMI application is no longer supported so there will be no fix for the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to gain authorized access to the application.

Moxa Advisory


This advisory describes two vulnerabilities in the Moxa MiiNePort. The vulnerabilities were reported by Aditya Sood. Moxa has produced new firmware versions to mitigate the vulnerabilities. There is no indication that Sood was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Permissions, privileges, and access controls - CVE-2016-9344; and

• Cleartext storage of sensitive information - CVE-2016-9346

No comments:

 
/* Use this with templates/template-twocol.html */