This week we have four vendor disclosures for products from
Bosch (3) and Siemens. There is also a vendor update of a previously issued
security advisory for products from Rockwell.
Bosch Advisories
Bosch published two advisories (here and here) for two
vulnerabilities in their Smart Camera App for Android. These vulnerabilities
are apparently self-reported. Bosch has a new version of the App that mitigates
the vulnerabilities.
The two reported vulnerabilities are:
• Incorrect default permissions - CVE-2019-7729;
and
• Improper certificate validation CVE-2019-7728
Bosch published an advisory
describing two vulnerabilities in its Rexroth IndraWorks WinStudio application.
These are third-party software vulnerabilities originally
reported by AVEVA in their InduSoft Web Studio. Bosch reports that all projects
created with the vulnerable versions are affected by these vulnerabilities. Bosch
only provides workarounds to mitigate these vulnerabilities in this advisory.
The two reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2019-6543; and
• Resource injection -
CVE-2019-6545
Siemens Advisory
Siemens has published an
advisory describing three vulnerabilities in the WibuKey Digital Rights
Management (DRM) solution, which affect WinCC OA. These are the same
vulnerabilities that Siemens previously reported in their SICAM 230 product.
The original Talos reports on these third-party software vulnerabilities (CVE-2018-3989, CVE-2018-3990,
and CVE-2018-3991)
included exploits. Siemens has provided WibuKey links to new versions of the
software to mitigate the vulnerability. There is no indication that Talos has
verified the efficacy of the fix.
Rockwell Update
The Rockwell
Industrial Security Advisory Index page indicates that they published
an update to the advisory on their PowerMonitor 1000 Monitor product. This
advisory was originally
published in February. The update is apparently only currently available to
companies with a current TechConnect contract (which I do not). I expect that
we will see an update published by NCCIC-ICS at some future date.
Posts
No comments:
Post a Comment