Review - Public ICS Disclosures – Week of 12-4-21

It is early yet, but we do have two vendor disclosures for the log4shell vulnerability from SonicWall and VMware. We also have nine routine vendor disclosures from ABB, Bosch, Helmholz (2), QNAP (4), and SonicWall. Finally, there are two researcher reports of vulnerabilities in products from Gerbv.

Log4Shell Advisory #1 - SonicWall published an advisory discussing the log4shell vulnerability.

Log4Shell Advisory #2 - VMware published an advisory discussing the log4shell vulnerability.

ABB Advisory - ABB published an advisory describing a missing authentication vulnerability in their RobotWare.

Bosch Advisory - Bosch published an advisory describing four vulnerabilities in their BT software products.

Helmholz Advisory #1 - CERT-VDE published an advisory describing two vulnerabilities in the Helmholz shDialup program.

Helmholz Advisory #2 - CERT-VDE published an advisory describing a response discrepancy information disclosure vulnerability in the Helmholz myREX24 and myREX24-virtual software.

QNAP Advisory #1 - QNAP published an advisory describing an improper authentication vulnerability in their Qfile for Android application.

QNAP Advisory #2 - QNAP published an advisory describing a reflected cross-site scripting vulnerability in their QNAP NAS running Kazoo Server.

QNAP Advisory #3 - QNAP published an advisory describing a stack-based buffer overflow vulnerability in their QNAP NAS running Surveillance Station.

QNAP Advisory #4 - QNAP published an advisory discussing reports that a bitcoin miner has been reported to target QNAP NAS.

SonicWall Advisory - SonicWall published an advisory describing eight vulnerabilities in their SMA 100 series appliances.

Gerbv Report #1 - Talos published a report describing an out-of-bounds write vulnerability in the Gerbv RS-274X aperture macro.

Gerbv Report #2 - Talos published a report describing an integer overflow or wraparound vulnerability in the Gerbv RS-274X aperture macro.

For more details on these advisories and reports, including links to 3^rd party advisories and supporting research reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12 - subscription required.