This week we have seven vendor disclosures from BD, Johnson and Johnson, Moxa (2), Philips, Rockwell, and Sick. We also have two researcher reports about in the wild exploits for a vulnerability in products from Oracle that apparently affects a product from Siemens.
BD Advisory
BD published an advisory discussing the Netlogon vulnerability affect on products from BD. The advisory contains a list of potentially affected products. BD provides generic guidance on mitigation measures for this vulnerability.
Johnson and Johnson Advisory
Johnson and Johnson published an advisory discussing the Ryuk ransomware advisory from the Federal Government. The advisory notes that there are no Johnson and Johnson medical device products directly affected.
Moxa Advisories
Moxa published an advisory describing an incorrect default permissions vulnerability in their MXview Series network management software. The vulnerability was reported by Yuri Kramarz of Cisco Talos. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that Kramarz has been provided an opportunity to verify the efficacy of the fix.
NOTE: The Talos report includes proof of concept code.
Moxa published an advisory describing six vulnerabilities in their EDR-810 series security router. The vulnerabilities were reported by BDU FSTEC. Moxa has new firmware that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities include:
• Execute Arbitrary Commands - BDU:2020-01269,
• Denial of Service - BDU:2020-04912,
and
• No response from system (4) - BDU:2020-04913, BDU:2020-04914, BDU:2020-04915, and BDU:2020-04916.
NOTE 1: BDU FSTEC reports (see here for example) that these vulnerabilities were discovered in July 2018. This may be of concern since FSTEC is the Russian Federal Service for Technical and Export Control. I do not know what sort of links FSTEC may have to Russian intelligence or security services.
NOTE 2: The ‘BDU’ numbers are the FSTEC reporting numbers (similar to CVE’s?). They can be found here.
Philips Advisory
Phillips published an advisory discussing the Oracle WebLogic RCE vulnerability. Philips currently lists just one product (Tasy EMR v12.2.1.3) as being affected by this vulnerability.
Rockwell Advisory
Rockwell published an advisory discussing an HTTP session management vulnerability in their Stratix 5700 switch. This is a third-party (classic Cisco IOS) vulnerability. The vulnerability was reported by Amazon. Rockwell has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.
Sick Advisory
Sick published an advisory [.PDF download link] discussing a Windows® TCP/IP remote code execution vulnerability (CVE-2020-16898) in their Package Analytics product. Sick recommends applying the applicable Windows update.
Oracle Reports
FireEye published two reports (here and here) about on-going exploits of a classic buffer overflow vulnerability the Oracle Solaris enterprise operating system. Normally I would not cover vulnerabilities in this product, but Ralph Langner published a Tweet indicating that this vulnerability affected the Siemens SPPA-T2000.
Commentary
We are seeing an increasing number of reports of third-party
vulnerabilities. I suspect that these reports are just sightings of the tips of
the various control system icebergs out there. We will not know really how wide-spread
and dangerous these vulnerabilities are until vendors are forced to look at
reported vulnerabilities in their component systems provided by third parties.
No comments:
Post a Comment