You are here

Home » Cybersecurity

Cybersecurity

Advantech WebAccess (ICSA-19-260-01) – Product Used in the Water and Wastewater and Energy Sectors

CISA has released an advisory on code injection, command injection, stack-based buffer overflow, and improper authorization vulnerabilities in Advantech WebAccess. Versions 8.4.1 and prior are affected. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system. Advantech has released Version 8.4.2 of WebAccessNode to address the reported vulnerabilities. CISA also recommends a series of measures to mitigate the vulnerabilities.

Top 25 Most Dangerous Software Errors

MITRE has released the 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list. It is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in software. MITRE notes these weaknesses are often easy to find and exploit and are dangerous because they frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. Access the list at MITRE.

3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server (ICSA-19-255-05)

CISA has published an advisory on an improper input validation vulnerability in 3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could cause a denial-of-service condition. 3S-Smart Software Solutions GmbH has released Version 3.5.15.0 to resolve this vulnerability for all affected CODESYS products. CISA also recommends a series of measures for mitigating the vulnerability.

3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server (ICSA-19-255-04)

CISA has published an advisory on a NULL pointer reference vulnerability in 3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could cause a denial-of-service condition. 3S-Smart Software Solutions GmbH has released Version 3.5.15.0 to resolve this vulnerability for all affected CODESYS products. CISA also recommends a series of measures for mitigating the vulnerability.

3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management (ICSA-19-255-03)

CISA has published an advisory on an incorrect permission assignment for critical resource vulnerability in 3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could allow unauthorized actors access to unintended functionality and/or information. 3S-Smart Software Solutions GmbH has released Version 3.5.13.0 to resolve this vulnerability for all affected CODESYS products. CISA also recommends a series of measures for mitigating the vulnerability.

3S-Smart Software Solutions GmbH CODESYS V3 Web Server (ICSA-19-255-01)

CISA has published an advisory on path traversal and stack-based buffer overflow vulnerabilities in 3S-Smart Software Solutions GmbH CODESYS V3 web server. Numerous products and versions of these products are affected. Successful exploitation of these vulnerabilities may allow an attacker to create a denial-of-service condition, to perform remote code execution, or to access restricted files. 3S-Smart Software Solutions GmbH has released Versions 3.5.12.80, 3.5.14.10, and 3.5.15.0 to resolve the vulnerabilities for the affected CODESYS products.

We Don’t “WannaCry” Again Over Unpatched Vulnerabilities – BlueKeep Exploit Now Publicly Available

In June, Microsoft (and the NSA) implored organizations to patch now for CVE-2019-0708 which had been released in May. This urging harkened back to May 2017, when unpatched systems were infected with WannaCry, the EternalBlue worm that spread through Server Message Block (SMB). CVE-2019-0708, a worm better known as “BlueKeep,” affects Remote Desktop Services (RDP) residing on earlier versions of Windows, including Windows 2003 and XP, Vista 7, Server 2008 R2, and Server 2008. Similar to 2017, Microsoft issued a patch months ago, prior to any known working exploits in the wild.

Microsoft Releases September 2019 Security Updates

Microsoft has released its monthly update to address vulnerabilities in its software. For this month, Microsoft has released security updates for Microsoft Windows, Internet Explorer, Microsoft Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Adobe Flash Player, Microsoft Lync, Visual Studio, Microsoft Exchange Server, .NET Framework, Microsoft Yammer, .NET Core, ASP.NET, Team Foundation Server, and Project Rome.

Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A) (ICS-ALERT-19-225-01)

The NCCIC has updated its alert on proof-of-concept exploit code affecting Mitsubishi Electric Europe B.V. smartRTU (Versions 2.02 and prior) and INEA ME-RTU (Versions 3.0 and prior), remote terminal products. According to a public report on the matter, there are multiple vulnerabilities that could be exploited to gain remote code execution with root privileges. CISA has notified Mitsubishi Electric Europe B.V. of the report and has asked them to confirm the vulnerabilities and identify mitigations.

Pages

Subscribe to Cybersecurity