Saturday, May 25, 2019

Public ICS Disclosure – Week of 05-18-19

This week we have three vendor disclosures from Eaton, Bosch and Miele. There is also one exploit report for products from Anvis. I also found more vendor information on the Microsoft® RDP  vulnerability.

Microsoft RDP Vulnerability

While the NCCIC-ICS has only released a very generic notice on the Microsoft® RDP vulnerability (CVE-2019-0708), a number of control system vendors this week have released their own outlook on the vulnerability in their products. The vendors include:

Philips (update); and
Siemens Healthineers:

With the number of medical device manufacturers reporting on the RDP vulnerability and the healthcare industry’s history of problems with WannaCry you would think that the FDA would have issued at least a generic warning on the issue; but no, there is nothing on the medical device safety page.

Eaton Advisory

Eaton published an advisory reporting an undescribed vulnerability in the Eaton easySoft V6. Eaton is working on a new version to mitigate the vulnerability and offers generic workarounds in the mean time.

NOTE: This has to be the worst corporate vulnerability disclosure ever. Oh well, at least an advisory was published.

Bosch Advisory

Bosch has published an advisory describing an unauthenticated certificate access vulnerability in the Bosch Video Recording Manager (VRM) software. Bosch has firmware updates that mitigate the vulnerability.

Miele Advisory

CERT-VDE has published an advisory describing two vulnerabilities in the Miele XGW 3000 ZigBee Gateway. The vulnerability was reported by Maxim Rupp. Miele has a new version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Improper authorization; and
Cross-site request forgery

Anvis Exploit

Wizlab-IT published an exploit for security issues with the Anvis M3 RFID Access Control product. This was a coordinated disclosure and Anvis has a new version of the device that mitigates the vulnerability.

NOTE: So all of the vulnerable devices will be replaced?????

No comments:

/* Use this with templates/template-twocol.html */