Thursday, December 21, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published control system security advisories for products from Schneider and Moxa.

Schneider Advisory 

This advisory describes three vulnerabilities in the Schneider Pelco VideoXpert Enterprise products. The vulnerabilities were reported by Gjoko Krstic. Schneider has released a firmware update that mitigates the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Path traversal (2) - CVE-2017-9964, CVE-2017-9965; and
• Improper access control - CVE-2017-9966

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain system privileges or allow an unauthorized user to view files.

Moxa Advisory


This advisory describes a credentials management vulnerability in the Moxa NPort serial network interface. The vulnerability was reported to Federico Maggi. Moxa has produced a new firmware version that mitigates the vulnerability. There is no indication that Maggi was provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized access.

No comments:

 
/* Use this with templates/template-twocol.html */