Saturday, February 13, 2021

Public ICS Disclosures – Week of 2-6-21 – Part 1

This week we have four vendor disclosures from B&R Automation, Dell, GE Healthcare, and Rockwell. There is also an update from Rockwell.

B&R Advisory

B&R published an advisory discussing the CodeMeter vulnerabilities. B&R provides a list of affected products and links to updated versions that mitigate the vulnerabilities.

Dell Advisory

Dell published an advisory describing three vulnerabilities in their AOS SD-WAN. These are third-party vulnerabilities (ArubaOS). Dell has new versions that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Multiple buffer overflows - CVE-2020-24633,

• Unauthenticated remote command injection - CVE-2020-24634, and

• Secureboot bypass - CVE-2020-10713

GE Healthcare Advisory

GE published an advisory describing a buffer overflow vulnerability in unnamed products. This is a third-party (SUDO) vulnerability. GE provides no mitigation measures on their public facing portal. There is a publicly available exploit for this vulnerability.

Rockwell Advisory

Rockwell published an advisory describing an IPv4 denial-of-service vulnerability in their Allen-Bradley MicroLogix 1100 Programmable Logic Controller. This vulnerability was reported by Talos. Rockwell has a firmware update that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Rockwell Update

Rockwell published an update for their Ripple20 advisory. The new information includes adding the four new vulnerabilities reported by Treck on December 20th, 2020.

Part 2

I will address the Siemens and Schneider advisories and updates from this week that were not covered by NCCIC-ICS is Part 2 of this post.

No comments:

/* Use this with templates/template-twocol.html */