Tag: DoS

security advisory

[ICS] Digital Canal Structural Wind Analysis Stack Buffer Overflow

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02

Vendor: Digital Canal Structural
Equipment: Wind Analysis
Vulnerability: Stack-Based Buffer Overflow

AFFECTED PRODUCTS
The following versions of Wind Analysis, a structural engineering software platform, are affected:
Wind Analysis versions 9.1 and prior.

IMPACT
Successful exploitation of this vulnerability could cause the device that the attacker is accessing to become unavailable, resulting in a denial of service.

Read on for details.

security advisory

[ICS] Trihedral VTScada Multiple Vulnerabilities

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01

Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information Exposure

AFFECTED PRODUCTS

The following versions of VTScada, an HMI SCADA software, are affected:
VTScada Versions prior to 11.2.26

Read on for details.

security advisory

LG-Nortel ADSL modem Multiple Vulnerabilities

A while back in April – May 2015, on a pentest in Sydney, I was testing a LG-Nortel ADSL modem for a customer. This device model is heavily deployed by Optus in Australia (Sydney) for its SOHO broadband customers. Found several security flaws on the device which I then reported to appropriate teams.

(Potential) Estimated deployment size is 20-30% of customer base.
Optus, CERT-US, CERT-AU, are aware of these issues.
Ownership of this model by LG Nortel could not be identified. <--- The issues are not fixed. This device may very well be used by other Service Providers and / or in other locations. I am not sure if & how this device might connect back to Optus network. If it does connect / talk back, it'd be interesting what impact it can create.