This week we have three new Ripple20 [corrected link, 10-18-20, 0844 EDT] advisories for products
from ABB, BD, and HMS; and 3 updates for products from ABB, Schneider and Eaton.
There were two BootHole
advisories published for products from Medtronic and BD. There were three
additional vendor disclosures this week for products from SICK, Rockwell and Yokogawa.
Ripple20
ABB published a Ripple20
advisory for their distribution automation products. The advisory provides
a list of affected products and the announcement that ABB intends to produce
new firmware to mitigate the vulnerabilities.
BD published a Ripple20
advisory for their BD Kiestra and Rowa products. The advisory provides
generic mitigation measures.
HMS published a Ripple20
advisory for their HMS LABSline SG and Anybus SG-gateways. Since the
affected products are end-of-life, HMS recommends upgrading to newer products.
ABB updated
a previously issued Ripple20 advisory that was originally
published on July 11th, 2020. The new information includes a
revised affected product list and provides links to the advisory described above.
Schneider updated
a previously issued Ripple20 advisory that was originally
published on June 23, 2020 and most recently
updated on July 14th, 2020. The new information includes:
• Adding XUPH001 OsSense
communication module, XGCS850C201 OsiSense RFID compact smart antenna, Wiser
Energy IP module, and “Gateway Connector by Elko to the list of affected
products, and
• Removing PowerLogic EGX100, ECI850
Sepam IEC 61850 Server, and “PowerLogic G3200 Modbus to IEC 61850 Gateway from
the list of affected products.
Eaton
updated their Ripple20 advisory that was originally
published on June 23rd, 2020 and most recently updated on July
15th, 2020. The new information includes an updated affected product
list and an updated
the mitigation for ePDU products.
BootHole
Medtronic published a BootHole
Advisory providing a generic announcement that they were looking at the
potential vulnerability in their products.
BD published a BootHole
Advisory providing a generic announcement that they were looking at the
potential vulnerability in their products.
NOTE: The medical device vendors are getting fairly
proactive about looking at named OS vulnerabilities and announcing their
concern/interest. I suspect that this is because of the regulated nature of the
market and an interest in obviating any additional cybersecurity related regulatory
actions.
SICK Advisory
SICK published an
advisory describing two vulnerabilities in their Package Analytics
products. The vulnerabilities were reported by an unacknowledged third-party.
SICK has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
• Authentication bypass using an
alternate path or channel - CVE-2020-2076, and
• Incorrect default permissions - CVE-2020-2077
Rockwell Advisory
Rockwell published an
advisory describing an improper implementation of hashing algorithm for
user passwords vulnerability in their FactoryTalk Services Platform. The vulnerability
is being self-reported. Rockwell has a patch to mitigate the vulnerability.
Yokogawa Advisory
Yokogawa published an advisory describing
two vulnerabilities in their CAMS for HIS of CENTUM products. The
vulnerabilities were reported by Nataliya Tlyapova and Ivan Kurnakov, Positive
Technologies. Yokogawa has patches to mitigate the vulnerability in products
that are not yet at end-of-life. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper authentication - CVE-2020-5608,
and
• Path traversal - CVE-2020-5609
Posts
No comments:
Post a Comment