Saturday, August 24, 2019

Public ICS Disclosures – Week of 08-17-19

This week we have two vendor disclosures for products from Bosch and Schneider and an update from Schneider.

Bosch Advisory

Bosch published an advisory describing three vulnerabilities in their ProSyst mBS SDK and Bosch IoT Gateway Software. The vulnerabilities are being self-reported. Bosch has new versions that mitigate the vulnerabilities.

The three reported vulnerabilities are:

Path traversal - CVE-2019-11601;
Server-side request forgery - CVE-2019-11897; and
Information exposure through an error message - CVE-2019-11602

Schneider Advisory

Schneider published an advisory for the latest Microsoft® Remote Desktop Services (DejaBlue) vulnerabilities in their products running on machines using various MS operating systems. Generic mitigations are provided. Schneider does provide the following warning about applying the MS patches that should mitigate these vulnerabilities:

“Please note that as of the date of this publication, it is unclear how Microsoft’s patches and updates will affect systems performance. Therefore, customers should proceed with caution when applying these patches to critical operating systems and/or performance-constrained systems. We strongly recommend evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure.”

NOTE: This advisory has already been updated twice.

Schneider Update

Schneider published an update for their advisory on the Wind River VxWorks vulnerabilities in their products. They changed the affected products list by:

Removin Modicon M580 Ethernet / Serial RTU Module; and
Adding Modicon eX80 - BMEAHI0812 HART Analog Input Module

No comments:

/* Use this with templates/template-twocol.html */