This afternoon the DHS ICS-CERT published an advisory
for an ActiveX vulnerability in Canary Labs TrendLink [NOTE: ICS-CERT ‘misspells’
TrendLink with a space]. The
vulnerability was reported by Kuang-Chun Hung of Security Research and Service
Institute−Information and Communication Security Technology Center (ICST).
The advisory notes that a moderately skilled attacker could
remotely exploit this vulnerability to conduct a DoS attacker or perhaps
execute arbitrary code. Canary Labs has produced an updated version of Trend
Link that Huang-Chun has confirmed mitigates the identified vulnerability. The
update is available from Product Support.
The TrendLink web
page notes that:
“TrendLink can also be used as an
ActiveX control that can be embedded in other programs. For example, TrendLink
can be embedded into Human Machine Interfaces (HMI) and Internet applications.”
This means that this is another one of those product
vulnerabilities that might affect users that don’t realize that they utilize
TrendLink. It would be nice if there were some easy way for operators to
identify if their control system includes vulnerable subsystems like TrendLink.
Posts
No comments:
Post a Comment