Saturday, July 15, 2017

ICS Public Disclosures – Week of 07-08-17

This week we have two public disclosures from vendors. The first is an interesting update of information from ABB and the second is a fresh self-disclosure from OSIsoft.

ABB Update

ABB published their security advisory for their VSN300 Wi-Fi Logger Card; these were earlier reported by ICS-CERT. There was no link to the ABB advisory in the ICS-CERT advisory because it was published two days later. The importance of the ABB advisory is that it includes exploit code for the two reported vulnerabilities; an unusual move for a vendor.

The publication of the exploit code needs to be taken into account in the risk analysis done by owners in their decision as to whether or not they will be updating the Card firmware.

It will be interesting to see if ICS-CERT updates their advisory.

Thanks to Joel Langill for pointing out the publication of this advisory.

OSIsoft Advisory

OSIsoft announced this week the publication of security updates for their PI Integrator For Business Analytics 2016, PI Integrator for Microsoft Azure 2016, and PI Integrator for SAP HANA 2016 products with new versions of all three being made available.

The new versions correct two self-identified vulnerabilities:

• Improper Neutralization of Input During Web Page Generation; and
• Improper Authorization

OSIsoft reports that: “An unauthorized user could gain privileged access to the PI Integrator application and views of PI System data. A miscreant could also store malicious script in the application database and subsequently execute it on the targeted user's machine.”

No comments:

/* Use this with templates/template-twocol.html */