Kaspersky revealed that the CVE-2018-8589  Windows 0-day fixed by Microsoft Nov. 2018 Patch Tuesday has been exploited by at least one APT group in attacks in the Middle East. Kaspersky Lab experts revealed that the CVE-2018-8589 Windows zero-day vulnerability addressed by Microsoft November 2018 Patch Tuesday has been exploited by an APT group in…

Researchers who devised the original Meltdown and Spectre attacks disclosed seven new variants that leverage on a technique known as transient execution. In January, white hackers from Google Project Zero disclosed the vulnerabilities that potentially impact all major CPUs, including the ones manufactured by AMD, ARM, and Intel. The…

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC Panels Vulnerabilities: Path Traversal, Open Redirect 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow download of arbitrary files from the device, or allow URL redirections to untrusted websites. 3. TECHNICAL…

1. EXECUTIVE SUMMARY CVSS v3 7.7 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: SIMATIC IT Production Suite Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports this…

1. EXECUTIVE SUMMARY CVSS v3 4.0 ATTENTION: Low skill level to exploit Vendor: Siemens Equipment: SIMATIC STEP 7 (TIA Portal) Vulnerability: Unprotected Storage of Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to reconstruct passwords. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports the…

1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC S7 Vulnerability: Resource Exhaustion 2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition that could result in a loss of availability of the affected device. 3. TECHNICAL…

1. EXECUTIVE SUMMARY CVSS v3 4.7 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: SCALANCE S Vulnerability: Cross-site Scripting 2. RISK EVALUATION If an attacker tricks a user into clicking a malicious link, the device could allow arbitrary script injection (XSS). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports the following…

1. EXECUTIVE SUMMARY CVSS v3 4.3 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC Panels and SIMATIC WinCC (TIA Portal) Vulnerability: Code Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with network access to the web server to perform a HTTP…

1. EXECUTIVE SUMMARY CVSS v3 8.2 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: S7-400 CPUs Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system…

1. EXECUTIVE SUMMARY CVSS v3 4.2 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC Vulnerability: Improper Access Control 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to exfiltrate limited data…