Friday, November 10, 2017

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for products from Schneider and AutomationDirect.

Schneider Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Schneider InduSoft Web Studio and InTouch Machine Edition. The vulnerabilities were reported by Aaron Portnoy, formerly of Exodus Intelligence. Schneider has produced new versions that mitigate the vulnerability. There is no indication that Portnoy has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit this vulnerability to remotely execute code with high privileges. The Schneider security bulletin notes that the vulnerability exists during tag subscription.

AutomationDirect Advisory


This advisory describes and uncontrolled search path element vulnerability in a number of AutomationDirect products. The vulnerability was reported by Mark Cross of RIoT Solutions. Newer software versions are available from AutomationDirect that mitigate the problem. There is no indication that Cross has been provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that an uncharacterized attacker with uncharacterized access to execute arbitrary code on the system.

No comments:

 
/* Use this with templates/template-twocol.html */