Saturday, April 17, 2021

Public ICS Disclosures – Week of 4-10-21 – Part 1

This week we have six vendor disclosures from Philips, QNAP (4), and Ruckus. We also have a researcher report for products from Siemens. Part 2 will discuss advisories and updates from Siemens and Schneider published earlier this week.

Philips Advisory

Philips published an advisory discussing the NAME:WRECK DNS vulnerabilities in their products. They report that they are evaluating potentially affected products.

QNAP Advisories

QNAP published an advisory describing an SQL injection vulnerability in their Multimedia Console and the Media Streaming Add-On. The vulnerability was reported by Yaniv Puyeski. QNAP has a new version that mitigates the vulnerability. There is no indication that Puyeski has been provided an opportunity to verify the efficacy of the fix.

QNAP published an advisory describing a command injection vulnerability in their QTS and QuTS hero. The vulnerability was reported by Omri Mallis and Yaniv Puyeski. QNAP has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

QNAP published an advisory describing a cross-site scripting vulnerability in their File Station. The vulnerability was reported by Independent Security Evaluators. QNAP has newer versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

QNAP published an advisory describing two vulnerabilities in their TWONKY server products. This is a third-party (Lynx Technology) vulnerability. A Lynx update is pending.

The two reported vulnerabilities are:

• Improper access restriction, and

• Weak password obfuscation

Ruckus Advisory

Ruckus published an advisory describing an information disclosure vulnerability in their SmartZone products. Ruckus has new versions available that mitigate the vulnerability.

Siemens Report

The Zero Day Initiative published a report describing an unrestricted pointer dereference vulnerability in the Siemens Sold Edge Viewer. ZDI coordinated this disclosure with ICS-CERT (NCCIC-ICS), but no fix is yet available from Siemens.

No comments:

 
/* Use this with templates/template-twocol.html */