Saturday, July 11, 2020

Public ICS Disclosures – Week of 7-4-20

This week we have three new Ripple20 advisories and one update. We have two additional vendor disclosures for products from Moxa and GE.

Ripple20 Advisories and Updates

HMS published a Ripple20 advisory which provides a list of HMS products which are not affected by the vulnerabilities.

CERT-VDE published a Ripple20 advisory for the MIELE Communication Module XKM3000 L MED. It provides information on affected equipment and announces that: “A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.”

Draeger published a Ripple20 advisory announcing that Draeger medical devices are not affected.

Braun published a Ripple20 update that lists their Outlook 400ES infusion pump as their only affected product and that they are continuing to review Treck patches for applicability.

Moxa Advisory

Moxa has published an advisory describing two vulnerabilities in their MGate 5105-MB-EIP Series Protocol Gateways. The vulnerabilities were reported by Philippe Lin, Marco Balduzzi, Luca Bongiorni, Ryan Flores, Charles Perine, and Rainer Vosseler via the Zero Day Initiative. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2020-15494, and
• Exposure of sensitive information to an unauthorized actor - CVE-2020-15493

GE Advisory

GE has published an advisory describing the third-party Ghostcat vulnerability in their APM Connect UDLP 2.8 and earlier products relying upon Apache Tomcat servers. GE provides detailed mitigation measures.

NOTE: As with all third-party vulnerabilities, there is a potential for other ICS vendors to be affected by the same problem.

No comments:

/* Use this with templates/template-twocol.html */