Security Flaws & Fixes - W/E - 080318
Advisory Issued for Metasys and BCPro from Johnson Controls (07/31/2018)
Johnson Controls' Metasys and BCPro have a bug that enables an information exposure through an error message. Users are instructed to upgrade to the latest version as this issue was patched in Metasys v8.1 (April, 2016). Further information is available from an ICS-CERT advisory.
Johnson Controls' Metasys and BCPro have a bug that enables an information exposure through an error message. Users are instructed to upgrade to the latest version as this issue was patched in Metasys v8.1 (April, 2016). Further information is available from an ICS-CERT advisory.
Cisco Patches Prime Collaboration Software (08/01/2018)
Cisco Systems released a software update to fix the vulnerability found in the password-change function of its Prime Collaboration Provisioning offering. This flaw could potentially allow an authenticated remote attacker to render the system inoperable.
Cisco Systems released a software update to fix the vulnerability found in the password-change function of its Prime Collaboration Provisioning offering. This flaw could potentially allow an authenticated remote attacker to render the system inoperable.
Firmware Version Released for Davolink DVW-3200N (07/31/2018)
All versions of Davolink's DVW-3200N prior to 1.00.06 have a password vulnerability, the ICS-CERT has warned. A new firmware version has been released for risk mitigation.
All versions of Davolink's DVW-3200N prior to 1.00.06 have a password vulnerability, the ICS-CERT has warned. A new firmware version has been released for risk mitigation.
GAO Finds NNSA's Document Handling for Nuclear Contractors Lacking (08/02/2018)
A new report from the US Government Accountability Office (GAO) found that the US National Nuclear Security Administration (NNSA) should improve its document handling and tracking systems for paperwork relating to its $11 billion plus operating budget. An investigation by the GAO into the agency found that NNSA staff were "unable to promptly locate key contract documents, which NNSA officials need to effectively oversee these contracts, and justify awarding millions of federal dollars." The agency oversees the US nuclear weapons arsenal, among other things. The GAO is recommending that the NNSA "take steps to provide more timely and complete access to management and operating contract documents."
A new report from the US Government Accountability Office (GAO) found that the US National Nuclear Security Administration (NNSA) should improve its document handling and tracking systems for paperwork relating to its $11 billion plus operating budget. An investigation by the GAO into the agency found that NNSA staff were "unable to promptly locate key contract documents, which NNSA officials need to effectively oversee these contracts, and justify awarding millions of federal dollars." The agency oversees the US nuclear weapons arsenal, among other things. The GAO is recommending that the NNSA "take steps to provide more timely and complete access to management and operating contract documents."
ICS-CERT Posts Two Advisories for AVEVA Products (07/31/2018)
AVEVA's InTouch Access Anywhere contains a cross-site scripting vulnerability related the uses of an insecure jQuery library. An ICS-CERT advisory offers update information. A second advisory provides details regarding a separate vulnerability in AVEVA's Wonderware License Server.
AVEVA's InTouch Access Anywhere contains a cross-site scripting vulnerability related the uses of an insecure jQuery library. An ICS-CERT advisory offers update information. A second advisory provides details regarding a separate vulnerability in AVEVA's Wonderware License Server.
IRS Improved Security Somewhat but Further Protection Must Be Incorporated (07/31/2018)
In a new report, the Government Accountability Office (GAO) determined that the Internal Revenue Service (IRS) has made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption to protect financial and taxpayer information. However, the GAO found new and continuing deficiencies, including unenforced rules for password security. In its report, the GAO has made five additional recommendations to the IRS to improve its security. In a separate report with limited distribution, the agency recommended 32 other actions to address newly identified deficiencies at the IRS.
In a new report, the Government Accountability Office (GAO) determined that the Internal Revenue Service (IRS) has made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption to protect financial and taxpayer information. However, the GAO found new and continuing deficiencies, including unenforced rules for password security. In its report, the GAO has made five additional recommendations to the IRS to improve its security. In a separate report with limited distribution, the agency recommended 32 other actions to address newly identified deficiencies at the IRS.
Researchers Uncover Remote Spectre Attack Method (07/31/2018)
Researchers from Graz University of Technology in Austria have demonstrated a method in which Spectre attacks can be remotely launched over the network without executing code on the actual machine. The technique, dubbed "NetSpectre," has been successfully executed to work in local area networks and between virtual machines in Google Cloud. According to the team, they believe NetSpectre leaves billions of devices vulnerable, but data is leaked much slower than in traditional Spectre attacks. The researchers disclosed their findings to Intel in March.
Researchers from Graz University of Technology in Austria have demonstrated a method in which Spectre attacks can be remotely launched over the network without executing code on the actual machine. The technique, dubbed "NetSpectre," has been successfully executed to work in local area networks and between virtual machines in Google Cloud. According to the team, they believe NetSpectre leaves billions of devices vulnerable, but data is leaked much slower than in traditional Spectre attacks. The researchers disclosed their findings to Intel in March.
Samsung Updates SmartThings Hub Firmware to Mitigate Attacks (07/30/2018)
Multiple bugs in the firmware of Samsung's SmartThings Hub could enable an attacker to execute operating systems commands or other arbitrary code on affected devices, the Talos research team at Cisco has warned. The SmartThings Hub functions as a centralized controller for various Internet of Things devices, including smart plugs, LED light bulbs, thermostats, and cameras and allows users to remotely connect to and manage these devices using a smartphone. Talos found 20 vulnerabilities, some of which could be chained together to promote a significant device attack. Samsung was notified and issued a firmware update.
Multiple bugs in the firmware of Samsung's SmartThings Hub could enable an attacker to execute operating systems commands or other arbitrary code on affected devices, the Talos research team at Cisco has warned. The SmartThings Hub functions as a centralized controller for various Internet of Things devices, including smart plugs, LED light bulbs, thermostats, and cameras and allows users to remotely connect to and manage these devices using a smartphone. Talos found 20 vulnerabilities, some of which could be chained together to promote a significant device attack. Samsung was notified and issued a firmware update.
Users of WECON's LeviStudioU Warned of Security Issues (07/31/2018)
ICS-CERT has reported that WECON's LeviStudioU, versions 1.8.29 and 1.8.44, are vulnerable to stack-based overflow and heap-based buffer overflow bugs. Updating to the latest version may address some of the issues.
ICS-CERT has reported that WECON's LeviStudioU, versions 1.8.29 and 1.8.44, are vulnerable to stack-based overflow and heap-based buffer overflow bugs. Updating to the latest version may address some of the issues.