This week we have two vendor disclosures for products from
Moxa and BD. We also have one researcher disclosure for products from Flexera.
Moxa Advisory
Moxa published an
advisory describing an unauthenticated information disclosure vulnerability
in their NPort 5100A Series Serial Device Servers. The vulnerability was
reported by Maayan Fishelov from SCADAfence. Moxa has a new firmware version that
mitigates the vulnerability. There is no indication that Fishelov has been
provided an opportunity to verify the efficacy of the fix.
BD Advisory
BD published an
advisory describing a third-party scripting engine memory corruption
vulnerability affecting their product line. The Internet Explorer®
vulnerability was
reported and fixed by Microsoft in February 2020. BD is currently working
to test and validate the Microsoft patch for BD products.
Flexera Advisory
Tenable published a report
describing an improper validation of
user-supplied data vulnerability in the Flexera FlexNet Publisher. This was a
coordinated disclosure. Flexera has a new
version that mitigates the vulnerability. The Tenable report includes
proof-of-concept exploit code.
NOTE: This license management tool is used as a third-party
component of many products, including some ICS products from vendors like
Johnson Controls, Schneider Electric and Rockwell to name a few that have shown
up invulnerability reports in the past. It will be interesting to see how fast
we see the subsidiary reporting from those affected vendors.
Posts
No comments:
Post a Comment