Review - Public ICS Disclosures – Week of 1-22-22

This week we have eight vendor disclosures from Bosch, CODESYS, Dell, GE Gas Power, Hitachi, HPE (2), Phoenix Contact. We have seven vendor updates from Dell, ABB (2), Honeywell, QNAP, Siemens, and VMware. We also have 17 researcher reports for products from Reolink (14), Moxa (2), and WAGO.

NOTE: This week’s post includes a number of Log4Shell updates and one new advisory. As I mentioned last week, there will probably not be any more stand-alone Log4Shell posts.

Bosch Disclosure - Bosch published an advisory describing an HTML code injection vulnerability in their Android Application, Bosch Video Security.

CODESYS Advisory - CODESYS published an advisory describing a NULL pointer dereference vulnerability in their CODESYS PROFINET.

Dell Advisory - Dell published an advisory describing two vulnerabilities in their Wyse Windows Embedded System.

GE Gas Power Advisory - GE Gas Power published an advisory discussing the Log4Shell vulnerabilities.

Hitachi Advisory - Hitachi published an advisory discussing 83 vulnerabilities in their Disc Array Systems.

HPE Advisory #1 - HPE published an advisory describing a buffer overflow vulnerability in their FlexNetwork 5130 EL Switch Series.

HPE Advisory #2 - HPE published an advisory describing an unquoted search path vulnerability in their Agentless Management Service for Windows product.

Phoenix Contact Advisory - Phoenix Contact published an advisory describing an incorrect privilege assignment vulnerability in their FL SWITCH 2xxx series products.

Dell Update - Dell published an update for their general Log4Shell advisory.

ABB Update #1 - ABB published an update for their BadAlloc advisory that was originally published on August 19^th, 2021.

ABB Update #2 - ABB published an update for their Log4Shell Advisory.

Honeywell Update - Honeywell published an update for their Log4Shell advisory.

QNAP Update - QNAP published an update for their QTS and QuTS hero that was originally published on January 13^th, 2021.

Siemens Update - Siemens published an update for their Log4Shell advisory.

VMware Update - VMware published an update for their VMware Workstation, Fusion and ESXi advisory that was originally published on January 4^th, 2022.

Reolink Reports - Talos published 14 reports about 76 vulnerabilities in the Reolink RLC-410W camera.

Moxa Reports - Korelogic published two reports about vulnerabilities in the Moxa TN-5900 secure routers.

WAGO Report - SEC Consult published a report about four vulnerabilities in the WAGO 750-8xxx PLC.

 

For more details on these disclosures, including links to 3rd party advisories and individual researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-e17 - subscription required.