Yesterday the DHS ICS-CERT published two control system
security advisories for products from Advantech and Siemens.
Advantech Advisory
This advisory
describes two vulnerabilities in the Advantech WebAccess HMI platform. The
vulnerabilities were reported by Steven Seeley via the Zero Day Initiative. Advantech
released a new version to mitigate the vulnerability. There is no indication
that Seeley has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2017-14016;
and
• Untrusted pointer dereference - CVE-2017-12719
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to allow remote code execution.
Siemens Advisory
This advisory
describes an improper input validation vulnerability in the Siemens SIMATIC
PCS7 distributed control system. The vulnerability was reported by Sergey
Temnikov and Vladimir Dashchenko of Kaspersky Labs. Siemens has issued an
update for some versions to mitigate the vulnerability. There is no indication
that the researchers were provided an opportunity to verify the efficacy of the
fix. Siemens has provided interim mitigation suggestions pending updates to the
other versions.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to crash services on the device. The
Siemens security
advisory reports that: “The attacker must be member of the group administrators
and have network access to an affected system.”
NOTE: Siemens reported
this vulnerability on October 18th.
Posts
No comments:
Post a Comment