Saturday, February 29, 2020

Public ICS Disclosures – Week of 2-22-20

This week we have two vendor disclosures for products from Phoenix Contact and Moxa and an update from Belden. We also have a researcher disclosure for products from Honeywell.

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing two of the Urgent/11 vulnerabilities in their FL Switch GHS articles. These vulnerabilities are self-reported. Phoenix Contact provides generic workarounds to mitigate the vulnerabilities.

Moxa Advisory

Moxa published an advisory describing twelve vulnerabilities in their AWK-3131A Series Industrial AP/Bridge/Client. The vulnerabilities were reported by Talos Intelligence (CVE links below to individual Talos reports with proof of concept code). Moxa has a security patch to mitigate the vulnerabilities. There is no indication that Talos has been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Improper access control (2) - CVE-2019-5136 and CVE-2019-5162;
• Use of hard-coded cryptographic key - CVE-2019-5137;
• Improper neutralization of special elements used in an OS command (4) - CVE-2019-5138, CVE-2019-5140, CVE-2019-5141, and CVE-2019-5142;
• Use of hard-coded credentials - CVE-2019-5139;
• Buffer copy without checking size of input - CVE-2019-5143;
• Out-of-bounds read - CVE-2019-5148;
• Stack-based buffer overflow - CVE-2019-5153; and
Authentication bypass using alternate path or channel - CVE-2019-5165

Belden Update

Belden published an update to their HiOS advisory that was originally published on February 14th. The new information includes:

• Revised list of affected products;
• Revised list of available updates; and
• Added workaround

Honeywell Report

Applied Risk published their report on the Honeywell vulnerabilities that were reported earlier this month.

No comments:

/* Use this with templates/template-twocol.html */