Review - Public ICS Disclosures – Week of 7-31-21

This week we have three INFRA:HALT advisories from: Phoenix Contact, Schneider Electric, Siemens. We have 17 other advisories for products from Aruba, Bosch, Carestream, Genetec, Hitachi ABB Power Grids (3), Johnson Controls, Mitsubishi Electric (4), Phoenix Contact (3), PulseSecure, VMware. Finally, there are two updates from CODESYS and PcVue.

INFRA:HALT Advisories

Phoenix Contact published an advisory discussing the INFRA:HALT vulnerabilities.

Schneider published an advisory discussing the INFRA:HALT vulnerabilities.

Siemens published an advisory discussing the INFRA:HALT vulnerabilities.

Other Advisories

Aruba published an advisory describing a privilege escalation vulnerability in their Analytics and Location Engine (ALE).

Bosch published an advisory describing a cross-site request forgery vulnerability in their IP Cameras.

Carestream published an advisory discussing the PrintNightmare vulnerabilities.

Genetec published an advisory describing four vulnerabilities in their Streamvault products.

Hitachi ABB published an advisory discussing the FragAttacks WiFi vulnerabilities in their TropOS Product.

Hitachi ABB published an advisory describing a password in memory vulnerability in their Counterparty Settlement Billing (CSB) Product.

Hitachi ABB published an advisory describing a password in memory vulnerability in their Retail Operations Product.

Johnson Controls published an advisory describing an auto-update vulnerability in their Software House C•CURE 9000 product

Mitsubishi published an advisory describing an information disclosure vulnerability in their MELSEC iQ-R Series CPU module.

Mitsubishi published an advisory describing an unauthorized log-in vulnerability in their MELSEC iQ-R series CPU modules.

Mitsubishi published an advisory describing a denial-of-service vulnerability in their MELSEC iQ-R Series CPU module.

Mitsubishi published an advisory describing an authentication bypass vulnerability in their MELSEC iQ-R Series CPU Module.

Phoenix Controls published an advisory discussing the WIBU CodeMeter vulnerabilities reported by NCCIC-ICS.

Phoenix Controls published an advisory describing a denial of service vulnerability in their PLCnext Control devices.

Phoenix Controls published an advisory describing an improper privilege management vulnerability in their  FL MGUARD DM product.

PulseSecure published an advisory describing six vulnerabilities in their Pulse Connect Secure.

VMware published an advisory describing two vulnerabilities in their VMware Workspace ONE Access product.

Updates

CODESYS published an update for their CODESYS Development System V3 advisory that was originally published on July 15^th, 2021.

PcVue published an update for their advisory that was originally published in November 2020.

For more details on these advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-e33 - subscription required.