Saturday, May 2, 2020

Public ICS Disclosures – Week of April 25th, 2020

This week we have two vendor disclosures for products from Moxa and BD. We also have one researcher disclosure for products from Flexera.

Moxa Advisory

Moxa published an advisory describing an unauthenticated information disclosure vulnerability in their NPort 5100A Series Serial Device Servers. The vulnerability was reported by Maayan Fishelov from SCADAfence. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that Fishelov has been provided an opportunity to verify the efficacy of the fix.

BD Advisory

BD published an advisory describing a third-party scripting engine memory corruption vulnerability affecting their product line. The Internet Explorer® vulnerability was reported and fixed by Microsoft in February 2020. BD is currently working to test and validate the Microsoft patch for BD products.

Flexera Advisory

Tenable published a report describing an  improper validation of user-supplied data vulnerability in the Flexera FlexNet Publisher. This was a coordinated disclosure. Flexera has a new version that mitigates the vulnerability. The Tenable report includes proof-of-concept exploit code.

NOTE: This license management tool is used as a third-party component of many products, including some ICS products from vendors like Johnson Controls, Schneider Electric and Rockwell to name a few that have shown up invulnerability reports in the past. It will be interesting to see how fast we see the subsidiary reporting from those affected vendors.

No comments:

/* Use this with templates/template-twocol.html */