More than two months after the original advisory went out, Siemens has released patches for a pair of critical vulnerabilities in some versions of its Simatic WinCC SCADA product that remained vulnerable. Both of the vulnerabilities are remotely exploitable and have potentially damaging consequences for companies running affected versions of the product. One of the […]
Tag Archives: Critical Infrastructure
Siemens ICS Switches Hit With Buffer Overflow, Authentication Bugs
There are a number of serious vulnerabilities in the Siemens Ruggedcom WIN switches, including a remotely exploitable buffer overflow and a flaw that could allow an attacker to take actions on the device without authentication. The vulnerabilities affect several models of the Ruggedcom WIN switches, including WIN51xx all versions prior to SS4.4.4624.35, WIN52xx: all versions […]
Schneider Electric Patches Buffer Overflow in ICS Products
There is a remotely exploitable buffer overflow in a handful of software products from Schneider Electric that could allow an attacker to execute arbitrary code on vulnerable machines. The vulnerability lies in a DLL that’s installed with a Device Type Manager that is part of several Schneider products, including the Unity Pro development software, the […]
Researchers Link Regin to Malware Disclosed in Recent Snowden Documents
Kaspersky Lab has found shared code and functionality between the Regin malware platform and a keylogger described in recently disclosed Snowden documents.
Hard-Coded FTP Credentials Found in Schneider Electric SCADA Gateway
Two flaws in Schneider Electric’s ETG3000 FactoryCast HMI Gateway allow unauthenticated remote access to the device’s FTP server and configuration file.
Root Password Found in Ceragon Microwave Bridges
An undocumented default root password was discovered in Ceragon Networks microwave bridges that facilitate wireless voice and data services.
GE Ethernet Switches Have Hard-Coded SSL Key
There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink […]
Certificate Transparency Moves Forward With First Independent Log
The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicator in Google Chrome. On Jan. 1, a CT log operated by […]
U.S. Sanctions North Korea Defense Agencies, Individuals in Sony Hack
President Obama signed an Executive Order sanctioning three North Korea defense agencies and 10 individuals for the country’s alleged role in the Sony hack.
2014: A Specious Odyssey
The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it’s time to scramble again. In 2014, those small moments of downtime were hard to come by.