This week we have eight vendor disclosures for products from
PEPPERL+FUCHS, ABB (4), B&R Automation, GE Digital and BD and updates for
two previous vendor disclosures from 3S.
PEPPERL+FUCHS Advisory
VDE CERT published an advisory
describing a time-of-check time-of-use race condition vulnerability in the
PEPPERL+FUCHS Tab-Ex 02 mobile device. This is the third party 'Kr00k' vulnerability affecting
encrypted WiFi traffic and PEPPERL+FUCHS reports that this is the only device
of theirs that is vulnerable. PEPPERL+FUCHS plans on releasing an update to
mitigate this vulnerability in May 2020.
NOTE: This vulnerability affects a variety of Broadcom and
Cypress chipsets.
ABB Advisories
ABB published an
advisory describing two weak file permission vulnerabilities in their System
800xA. The vulnerabilities were reported by William Knowles at Applied Risk.
ABB has new versions that mitigate the vulnerability. There is no indication
that Knowles has been provided an opportunity to verify the efficacy of the
fix.
ABB published an
advisory describing four vulnerabilities in their Telephone Gateway. The
vulnerabilities were reported by Maxim Rupp. The product was phased out in 2015
and there are no plans to mitigate the vulnerability.
The four reported vulnerabilities are:
• Improper authentication and
access control - CVE-2019-19104;
• Unprotected storage of credentials
- CVE-2019-19105;
• Permissions, privileges and
access control - CVE-2019-19106; and
• Information exposure - CVE-2019-19107
ABB published an
advisory describing a remote code execution vulnerability in their System
800xA information manager. The vulnerability was reported by William Knowles at
Applied Risk. An update to mitigate this vulnerability will be included in the
next product release.
ABB published an
advisory describing a weak registries permission vulnerability in their System
800xA. The vulnerability was reported by William Knowles at Applied Risk. ABB
has a new version that mitigates the vulnerability. There is no indication that
Knowles has been provided an opportunity to verify the efficacy of the fix.
B&R Advisory
B&R published an
advisory describing a race condition vulnerability in a variety of their
products. This is the third-party vulnerability, the Intel TPM Fail. B&R has bios patches available to
mitigate the vulnerability.
GE Advisory
GE published an
advisory describing a privilege escalation vulnerability in their CIMPLICITY
HMI/SCADA product. The vulnerability was reported by Claroty. GE has a new
version that mitigates the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the fix.
BD Advisory
BD published an
advisory describing three remote code execution vulnerabilities on a
variety of BD products. These are third-party Microsoft vulnerabilities in the
Remote Desktop services. BD reports that it is currently working to test and
validate the Microsoft patch for their products.
The three reported vulnerabilities (links are to MS reports
on the vulnerability) are:
• CVE-2020-0610; and
3S Updates
3S published an
update [.PDF download link] for an advisory that was originally
published on March 25th, 2020. The new information includes
reporting the availability of publicly available proof-of-concept exploit code
that I reported last week.
3S published an
update [.PDF download link] for an advisory that was originally
published on March 25th, 2020. The new information includes
reporting the availability of publicly available proof-of-concept exploit code
that I reported last week.
Commentary
There are a lot of ‘third-party’ vulnerabilities being reported
this week; all in systems that are likely to be found in products from other
vendors. This is especially true when the ‘third-party’ is a major player like
Intel or Microsoft.
Posts
No comments:
Post a Comment