This week we have two vendor disclosures for products from
Phoenix Contact and Moxa and an update from Belden. We also have a researcher
disclosure for products from Honeywell.
Phoenix Contact Advisory
Phoenix Contact published an
advisory [.PDF download link] describing two of the Urgent/11 vulnerabilities in their FL
Switch GHS articles. These vulnerabilities are self-reported. Phoenix Contact
provides generic workarounds to mitigate the vulnerabilities.
Moxa Advisory
Moxa published an
advisory describing twelve vulnerabilities in their AWK-3131A Series
Industrial AP/Bridge/Client. The vulnerabilities were reported by Talos
Intelligence (CVE links below to individual Talos reports with proof of concept
code). Moxa has a security patch to mitigate the vulnerabilities. There is no
indication that Talos has been provided an opportunity to verify the efficacy
of the fix.
The twelve reported vulnerabilities are:
• Use of hard-coded cryptographic key
- CVE-2019-5137;
• Improper neutralization of
special elements used in an OS command (4) - CVE-2019-5138,
CVE-2019-5140,
CVE-2019-5141,
and CVE-2019-5142;
• Use of hard-coded credentials - CVE-2019-5139;
• Buffer copy without checking size
of input - CVE-2019-5143;
• Out-of-bounds read - CVE-2019-5148;
• Stack-based buffer overflow - CVE-2019-5153;
and
Belden Update
Belden published an
update to their HiOS advisory that was originally
published on February 14th. The new information includes:
• Revised list of affected
products;
• Revised list of available
updates; and
• Added workaround
Honeywell Report
Applied Risk published their report on the
Honeywell vulnerabilities that were
reported earlier this month.
Posts
No comments:
Post a Comment