This week we have eight public disclosures from Bosch, Carestream, ENDRESS+HAUSER, Dell, Draeger, GE Healthcare, Pulse Secure, and VMWare. An update is available for products from Rockwell. There is an end-of-life notice from Honeywell. Finally, there is an exploit for products from VMware.
Bosch Advisory
Bosch published an advisory describing a side-channel key extraction vulnerability in the Bosch cameras and encoders built on platforms CPP-ENC, CPP3, CPP4, CPP5, CPP6, CPP7 and CPP7.3. This is a third-party vulnerability (NXP). Since this is a chip-based vulnerability, Bosch is only able to provide generic workarounds. The original NinjaLab report on the NXP vulnerability contains proof-of-concept code.
NOTE: This third-party vulnerability was reported earlier in products from Rockwell, other vendors will probably also be affected.
Carestream Advisory
Carestream published an advisory discussing the Google heap-based buffer overflow vulnerability. Carestream provides a list of affected and unaffected products. Carestream will update Chrome in the next product release for the affected products.
ENDRESS+HAUSER Advisory
CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in a number of their products. ENDRESS+HAUSER provides generic workarounds pending development of appropriate mitigation measures in future versions of the product.
Dell Advisory
Dell published an advisory describing two vulnerabilities in their EMC OpenManage Server Administrator. The vulnerabilities were reported by David Yesland from Rhino Security Labs and Tenable. Dell has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Authentication bypass - CVE-2021-21513,
and
• Path traversal - CVE-2021-21514
NOTE: The Tenable report contains proof-of-concept code for the
Draeger Advisory
Draeger published an advisory describing an out-of-bounds write vulnerability in their CC-Vision Basic and CC-Vision E-Cal Software. The vulnerability was reported by Mario Ceballos. Draeger had new versions that mitigate the vulnerability. There is no indication that Ceballos has been provided an opportunity to verify the efficacy of the fix.
GE Healthcare Advisory
GE Healthcare has published an advisory discussing the Microsoft Windows TCP/IP vulnerabilities. GE Healthcare reports that they are actively assessing products to see if they are affected.
Pulse Secure Advisory
Pulse Secure has published an advisory discussing the Trickboot vulnerability in their PSA-Series Hardware. Pulse Secure has a BIOS patch available that mitigates the vulnerability.
VMWare Advisory
VMWare published an advisory describing a remote code execution vulnerability in their View Planner product. The vulnerability was reported by Mikhail Klyuchnikov of Positive Technologies. VMware has a security patch that mitigates the vulnerability. There is no indication that Klyuchnikov has been provided an opportunity to verify the efficacy of the fix.
Rockwell Update
Rockwell published an update for their Logix Controllers advisory that was originally published on February 25th, 2021. The advisory was re-written for clarity.
NOTE: I suspect the NCCIC-ICS will update their advisory on this vulnerability this coming week.
Honeywell EOL Notice
Honeywell published an end-of-life notice for their Pro-Watch 4.3 and Pro-Watch 4.35 products. The products will no longer be supported after September 30th, 2021.
VMWare Exploit
Photubias published an exploit for an unauthenticated
file upload vulnerability in the VMware vCenter Server 7.0. The vulnerability
was previously
reported by VMWare.
Posts
No comments:
Post a Comment