This week we have four vendor disclosures from WAGO, Bosch
(2), and Schneider; and two vendor updates from Siemens.
WAGO Advisory
CERT-VDE published an advisory describing
a use of hardcoded credentials vulnerability in the WAGO Series 750-88x and
750-87x devices. The vulnerability was reported by Jörn Schneeweisz of Recurity
Labs. WAGO has firmware updates available that mitigate the vulnerability.
There is no indication that Schneeweisz has been provided an opportunity to
verify the efficacy of the fix.
NOTE: I suspect that NCCIC-ICS will publish an advisory on
this vulnerability next week.
Bosch Advisories
Bosch published an advisory
describing a buffer overflow vulnerability in the Bosch Security Systems
Software for Video, PSIM and Access. This vulnerability is apparently self-reported.
Bosch has software updates that mitigate the vulnerability.
Bosch published an advisory
describing an improper access control vulnerability in the Bosch Security
Systems Software for Video, PSIM and Access Control Systems. This vulnerability
is apparently self-reported. Bosch has software updates that mitigate the vulnerability.
Schneider Advisory
Schneider published an
advisory describing an externally controlled reference to a resource
vulnerability in the Schneider Modbus Serial Driver. The vulnerability was
reported by Reid Wightman of Dragos. Schneider has an updated driver that
mitigates the vulnerability. There is no indication that Reid has been provided
an opportunity to verify the efficacy of the fix.
Siemens Updates
Siemens updated an
advisory for Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial
Products. Siemens added a solution for SIMATIC HMI Panels V14.
NOTE: NCCIC-ICS will not update their advisory
for this vulnerability since the link to the Siemens advisory will take one to
the current version.
Siemens updated an
advisory for Vulnerabilities in the additional GNU/Linux subsystem
of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. Siemens
added CVE-2019-6293 to the list of vulnerabilities covered by this advisory.
NOTE: NCCIC-ICS has not published an advisories or alert on
this family of Linux vulnerabilities.
Posts
No comments:
Post a Comment