Thursday, June 6, 2013

Invensys ICS/SCADA fixes

Invensys published updates to fix CVE-2013-0688/CVE-2013-0684/CVE-2013-0686/CVE-2013-0685 discovered by SCADA StrageLove team during assesment of ICS/SCADA based on ArchestrA System Platform. There are several trivial and some interesting bugs in Invensys Wonderware Information Server (WIS).
Patches (limited access):
ICS-CERT advisory ICSA-13-113-01:\

  • SQLi ~10 instances
  • XSS ~30 instances
  • XXE/XXE OOB/“ADSI Injection” and other interesting stuff…

    Gleb Gritsai
    Nikita Mikhalevsky
    Timur Yunusov
    Denis Baranov
    Ilya Karpov
    Vyacheslav Egoshin
    Dmitry Serebryannikov
    Alexey Osipov
    Ivan Poliyanchuk
    Evgeny Ermakov


    Thanks to Invensys security team for collaboration and rapid fixes.

    No comments:

    Post a Comment