Saturday, April 24, 2021

Public ICS Disclosures – Week of 4-17-21

This week we have two vendor NAME:WRECK disclosures from Carestream and Draeger. We also have nine other vendor disclosures from Aruba Networks (2), Bosch, Advantech, Meinberg, QNAP, VMWare, and Yokogawa (2).

NAME:WRECK Advisories

Carestream published an advisory discussing the NAME:WRECK vulnerabilities. It also addresses the Urgent/11, Ripple20, Amnesia:33, Number:Jack vulnerabilities. Carestream provides generic mitigation measures.

Draeger published and advisory discussing the NAME:WRECK vulnerabilities. Draeger reports that none of its medical devices use the affected stacks.

Aruba Advisories

Aruba published an advisory describing eleven vulnerabilities in their AirWave Management Platform. The vulnerabilities was reported by rceman and harishkumar0394 via BugCrowd, Daniel Jensen, Erik de Jong, and Vidya Bhaskar Tripathi. Aruba has a new version that mitigates the vulnerabilities. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Authentication bypass - CVE-2021-25147,

• Deserialization (2) - CVE-2021-25151 and CVE-2021-25152,

• SQL injection - CVE-2021-25153,

• Privilege escalation - CVE-2021-25154,

• Authenticated XML external entity (3) - CVE-2021-25163, CVE-2021-25164, and CVE-2021-25165,

• Authenticated remote command injection (2) - CVE-2021-25166 and CVE-2021-25167, and

• Authenticated open redirect - CVE-2021-29137

Aruba published an advisory describing ten vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Luke Young, hateshape and S4thi5h via BugCrowd, Daniel Jensen, and Xavier Danest. Aruba has patches that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Unauthenticated server-side request forgery - CVE-2021-29145,

• Authenticated stored cross-site scripting (3) - CVE-2021-29139, CVE-2021-29142, and CVE-2021-29146,

• Unauthenticated XML external entities - CVE-2021-29140,

• Privilege escalation - CVE-2020-7123,

• Authenticated information disclosure - CVE-2021-29138,

• Authenticated command injection - CVE-2021-29147, and

• Authenticated retrieval of sensitive information (2) - CVE-2021-29141 and CVE-2021-29144,

Bosch Advisory

Bosch published an advisory describing 14 vulnerabilities in their Rexroth IoT Gateway and ctrlX CORE products. These are third-party (operating system libraries and the Linux kernel) vulnerabilities. Bosch has updates for one of the affected products, others are pending.

The 14 reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-27815,

• Null pointer dereference - CVE-2020-27830,

• Path traversal - CVE-2020-28374,

• Release of invalid pointer or reference - CVE-2020-28941,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-29568,

• Unchecked return value - CVE-2020-29569,

• Use after free (3) - CVE-2020-29660, CVE-2020-29661, and CVE-2021-20232,

• Incorrect default permissions (2) - CVE-2021-24031 and CVE-2021-24032,

• Incorrect conversion between numeric types (2) - CVE-2021-27218 and CVE-2021-27219 (exploit), and

• Insufficient information - CVE-2021-27803

Advantech Advisory

Incibe-CERT published an advisory describing two file parsing vulnerabilities in the Advantech WebAccess/HMI designer product. The vulnerabilities were reported (here and here) by kimiya via the Zero Day initiative. Advantech is working on mitigation measures.

NOTE: This is likely to be reported by NCCIC-ICS this coming week.

Meinberg Advisory

Meinberg published an advisory describing seven vulnerabilities in their LANTIME products. Meinberg has updated firmware versions to mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• CA certificate check bypass - CVE-2021-3450 (OpenSSL),

• Null pointer dereference - CVE-2021-23840, CVE-2021-23841 (both OpenSSL),

• API overflow of output length - CVE-2021-23840 (OpenSSL),

• Heap-based buffer overflow - CVE-2021-3156 (exploits) (SUDO),

• Cross-site scripting – no CVE, and

• Command line injection – no CVE

QNAP Advisory

QNAP published an advisory describing an improper authorization vulnerability in their NAS running HBS 3 Hybrid Backup Sync. The vulnerability was reported by ZUSO ART. QNAP has a new version that mitigates the vulnerability.

VMWare Advisory

VMWare published an advisory describing a privilege escalation vulnerability in their NSX-T products. The vulnerability is self-reported. VMWare has patches available to mitigate the vulnerability.

Yokogawa Advisories

Yokogawa published an advisory discussing the Meltdown/SPECTRE vulnerabilities in their CENTUM VP Controller FCS products. Yokogawa has new versions that mitigate the vulnerabilities in some of their affected products.

Yokogawa published an advisory discussing the Microsoft® VB6 runtime vulnerabilities. Yokogawa has new versions that mitigate the vulnerabilities.

No comments:

/* Use this with templates/template-twocol.html */