TechBizWebTechBizWeb

    Subscribe to Updates

    Get the latest news about Technology and Business from all around the web..

    What's Hot

    US company spending on private jets for personal use hits 10-year high

    June 27, 2022

    Jump in the public queue to purchase a PS5 from Sony

    June 27, 2022

    Russian missile strike on Ukraine shopping mall draws outcry

    June 27, 2022
    Facebook Twitter Instagram
    • About Us
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    TechBizWebTechBizWeb
    Subscribe
    • Home
    • Technology

      Jump in the public queue to purchase a PS5 from Sony

      June 27, 2022

      Amazon is reportedly hosting a second major Prime-exclusive shopping event this year

      June 27, 2022

      Valve is doubling Steam Deck shipments, so you might get yours faster

      June 27, 2022

      The Supreme Court says it won’t consider rewriting defamation law… yet

      June 27, 2022

      Roku’s capable Streambars are down to their lowest prices

      June 27, 2022
    • Business
    • Cyber Security

      87% of executives have no cybersecurity tools on personal devices

      June 27, 2022

      CISA releases cloud security reference

      June 27, 2022

      Colin Ahern named New York’s Chief Cyber Officer

      June 27, 2022

      Contractors don’t have to increase your risk profile

      June 27, 2022

      Pharmaceutical company secures network with AppSec compliance tools

      June 24, 2022
    • Blockchain
    • Vulnerabilities
    • Social Engineering
    • Malware
    • Cyber Security Alerts
    TechBizWebTechBizWeb
    Home»Cyber Security»Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws
    Cyber Security

    Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws

    February 20, 2019Updated:February 20, 2019No Comments3 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Rockwell Automation is working on patches for two vulnerabilities affecting its Allen-Bradley PowerMonitor 1000 products. Details of the flaws have been public since November 2018.

    Rockwell Automation and ICS-CERT warned recently that PowerMonitor 1000 power monitors are impacted by authentication bypass and stored cross-site scripting (XSS) vulnerabilities.

    The affected product is designed to provide load profiling, cost allocation, and energy control information when integrated with other energy monitoring systems.

    The XSS flaw, classified as “medium severity” with a CVSS score of 6.1, allows a remote and unauthenticated attacker to inject arbitrary code into a user’s web browser session. The authentication bypass vulnerability, rated “critical” with a CVSS score of 9.8, can be exploited by an unauthenticated attacker to gain admin access to the device.

    Advisories published on November 27, 2018, by Luca Chiou, the researcher who uncovered the vulnerabilities, provide enough information to allow malicious actors to exploit the vulnerabilities, a fact that Rockwell Automation has acknowledged in its advisory.

    According to Chiou, the XSS flaw can be exploited by adding a new user to a specific file stored on the device. Instead of regular user data, an attacker can add malicious code that will be stored in the application’s database and executed whenever a legitimate user will access a page that displays user account data.

    As for the authentication bypass issue, Chiou found that a “disabled” parameter present in the source code of the login page is used to prevent unauthorized users from accessing functions such as Edit, Remove, AddNew, Change Policy Holder, and Security Configuration.

    An attacker can use a proxy to remove the “disabled” parameter, which gives them access to the aforementioned functions. They could then use the AddNew function to create a new admin account that gives them complete control over the targeted device.

    Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

    ICS-CERT and Rockwell Automation list the CVE identifiers CVE-2019-19615 and CVE-2019-19616 for these flaws, but the correct identifiers are likely CVE-2018-19615 and CVE-2018-19616. SecurityWeek has reached out to the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) for confirmation.

    Patches have yet to be released, but Rockwell Automation has provided a series of mitigations (registration required) that should prevent attacks. This includes using firewalls to block unauthorized access, running software with lower privileges, minimizing network exposure, and using VPNs for remote access. The automation giant also pointed out that Check Point Software Technologies products include rules for detecting potential attacks exploiting these flaws.

    Related: Rockwell Automation Patches Severe Flaws in Communications Software

    Related: Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors

    Related: Rockwell Automation Patches Flaws in Simulation, Licensing Tools

    view counter

    Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

    Previous Columns by Eduard Kovacs:
    Tags:





    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    87% of executives have no cybersecurity tools on personal devices

    June 27, 2022 Cyber Security

    CISA releases cloud security reference

    June 27, 2022 Cyber Security

    Colin Ahern named New York’s Chief Cyber Officer

    June 27, 2022 Cyber Security

    Contractors don’t have to increase your risk profile

    June 27, 2022 Cyber Security

    Pharmaceutical company secures network with AppSec compliance tools

    June 24, 2022 Cyber Security

    How secure is your digital supply chain?

    June 24, 2022 Cyber Security
    Editors Picks

    Jump in the public queue to purchase a PS5 from Sony

    June 27, 2022

    Russian missile strike on Ukraine shopping mall draws outcry

    June 27, 2022

    Amazon is reportedly hosting a second major Prime-exclusive shopping event this year

    June 27, 2022

    Theresa May leads opposition to bill to rip up N Ireland protocol

    June 27, 2022
    Trending Now

    CISA releases cloud security reference

    By techbizweb

    Roku’s capable Streambars are down to their lowest prices

    By techbizweb

    Prosus/Tencent: reducing stake further would close valuation gap

    By techbizweb

    https://www.nationalsportsacademy.com

    slot gacor hari ini

    http://www.inadesfo.org/

    http://www.eueomgbissau.org/

    http://www.congo-mai-mai.net/

    http://www.angelesdelafrontera.org/

    http://fifaworldcup2018schedule.com/

    http://tony4gtrmcr.co.uk/

    http://www.standrewsagreement.org/

    http://www.bob-russell.co.uk/

    http://davidmulholland.co.uk/

    http://railwayhotelenniskillen.com/

    http://www.fantasysportstrades.com/

    http://www.rainleaf-flooring.com

    http://mothersagainstguns.org/

    http://ma-coc.org/

    slot online

    http://www.paradoxmag.com/situs-judi-slot-online-gampang-menang-2021/

    http://www.paradoxmag.com/situs-judi-slot-online-terbaru-2021/

    http://slot-terbaru.net/

    Slot Gacor

    Slot Online

    Situs Slot Gacor

    http://www.appdexterity.com/

    https://cars4kids-deutschland.de/

    https://www.stretchingculture.com/

    https://www.b-123-hp.com/slot-gacor/

    https://denzstaffing.nl/

    https://ezbbqcooking.com/slot-gacor/

    https://www.mbahelp24.com/slot-gacor

    https://minhtanstore.com/slot-jackpot-terbesar/

    https://njbpusupplierdiversity.com/slot-gacor-gampang-menang/

    https://www.floridaspecialtycropfoundation.org/slot-gampang-menang/

    https://childrenscornerpreschool.org/slot-gacor-gampang-menang/

    https://cryptoquoter.com/slot-online-terbaik/

    https://alorkantho24.com/slot-gacor/

    https://ellas.xyz/slot-gacor/

    https://it.dougamatome.xyz/slot-online/

    https://www.daltercume.com/slot-gacor/

    https://josi-ana.dougamatome.xyz/slot88/

    https://josi-ana.dougamatome.xyz/slot-gacor/

    https://fastobserver.com/slot-jackpot-terbesar/

    https://www.planetexperts.com/slot-gacor/

    https://bfsolution.group/slot-bet-kecil/

    https://rustleva.co/slot/

    https://bfsolution.group/slot-bet-kecil/

    https://www.hotelcalimareal.com/togel-online/

    https://anime-game.dougamatome.xyz/slot-gacor-gampang-menang/

    https://anime-game.dougamatome.xyz/togel-online/

    https://bourbonbarrelfoods.com/slot/

    http://suneo39.wp.xdomain.jp/slot/

    https://techbizweb.com/slot-gacor/

    https://www.generalcatalyst.com/18-daftar-slot-gacor-terbaik-gampang-menang-jackpot-hari-ini/

    https://www.hotelcalimareal.com/slot-online/

    https://www.blockgates.io/slot-gacor/

    https://l12.com.br/slot-gacor/

    slot paling gacor

    https://www.donalds-hobby.com/slot-online/

    https://thecryptodirt.com/slot-gacor-hari-ini/

    http://iseta.edu.ar/aulavirtual/app/upload/users/1/1205/my_files/sbobet.html

    http://escuelavirtual.mincit.gov.co/app/upload/users/1/194/my_files/slot.html

    https://www.dev.medecinesfax.org/courses/JUDICASINO/document/slot.html

    http://www.e-archivos.org/cursos/courses/JUDICASINO/document/slot-gacor.html

    http://iesma.com.br/ead/main/upload/users/4/447/my_files/slot.html

    https://www.fundacoop.org/chamilo/app/upload/users/1/1185/my_files/slot.html

    https://fata-aatf.org/eskola/main/upload/users/3/31/my_files/slot.html

    https://uancv.edu.pe/ofinvestigacion/app/upload/users/3/328/my_files/slot-terlengkap.html

    https://micost.edu.my/EL/app/upload/users/2/209/my_files/slot-gacor.html

    https://www.academiacoderdojo.ro/elearningdev/app/upload/users/2/2442/my_files/slot-online.html

    http://campus-cidci.ulg.ac.be/courses/JUDICASINO/document/slot-termurah.html

    https://www.escueladerobotica.misiones.gob.ar/aula-ste/courses/LIVECASINO/document/slot-tergacor.html

    http://ccdipeepccqqfar.usac.edu.gt/chamilo/app/upload/users/3/358/my_files/slot-online.html

    https://cunori.edu.gt/campus/app/upload/users/7/7334/my_files/slot-online.html

    http://u-rus.com.ar/aula/app/upload/users/1/1322/my_files/slot.html

    http://icrodarisoveria.edu.it/chamilo/app/upload/users/1/1855/my_files/slot.html

    https://iestpliliagutierrez.edu.pe/clarolgm/courses/CASINO/document/slot.html

    http://pva.cobach.edu.mx/app/upload/users/7/7379/my_files/slot.html

    http://www.imb-pc-online.edu.gt/PL/app/upload/users/3/373/my_files/slot.html

    http://avcs.upeu.edu.pe/main/upload/users/3333/my_files/slot.html

    https://chamilo.fca.uas.edu.mx/app/upload/users/1/11186/my_files/slot-online/

    TechBizWeb
    Facebook Twitter Instagram Pinterest Vimeo YouTube
    • Home
    • Guest Post
    • About Us
    • Privacy Policy
    • Our Authors
    • Terms and Conditions
    • Contact
    © 2022 Tech Biz Web. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.