Saturday, April 15, 2017

Public ICS Vulnerability Disclosure – Week of 04-09-17

This week John Page (HYP3RLINX) published three control system security vulnerability reports on the Full Disclosure mailing list; all three reports include proof of concept exploit code. All three of the vulnerabilities were for products from Moxa; two for Moxa MXView (here and here) and one for MX-AOPC UA SERVER (here). Page reports that these were coordinated disclosures and that Moxa has updated firmware to mitigate all three vulnerabilities.

MXView


The two reported vulnerabilities are:

• Remote private key disclosure - CVE-2017-7455; and
• Denial of service - CVE-2017-7456

MX-AOPC UA SERVER



The sole reported vulnerability for this product is an XML external entity injection (CVE-2017-7457) vulnerability.

No comments:

 
/* Use this with templates/template-twocol.html */