Review - Public ICS Disclosures – Week of 2-19-22

This week we have twelve vendor disclosures from Aruba, GE Gas Power (2), Hitachi, Insyde (3), HPE, PulseSecure, QNAP, Siemens, and VMware. We have five vendor updates from Aruba, Dell, HPE, Johnson Controls, and Milestone. We also have 19 researcher reports for products from WECON (15), Fuji Electric (3), and Industrial Control Links (ICL). Finally we have three exploits reported for products from ICL and WebHMI (2).

Aruba Advisory - Aruba published an advisory describing 16 vulnerabilities in their AOS-CX Switches. Some of these are third-party vulnerabilities.

GE Gas Power Advisory #1 - GE published an advisory discussing the GE CIMPLICITY vulnerabilities reported earlier this week.

GE Gas Power Advisory #2 - GE published an advisory discussing the Blackberry QNX Neutrino Kernel vulnerability.

Hitachi Advisory - Hitachi published an advisory discussing 20 recently reported Microsoft vulnerabilities affecting their Hitachi Disk Array Systems.

Insyde Advisory #1 - Insyde published an advisory describing a privilege escalation vulnerability in their SysPasswordDxe driver.

Insyde Advisory #2 - Insyde published an advisory describing a buffer overflow vulnerability in their VariableEditSmm driver.

Insyde Advisoyr #3 - Insyde published an advisory describing a plain-text storage of sensitive information vulnerability in their HddPasswordPei driver.

HPE Advisory #1 - HPE published an advisory describing two vulnerabilities in their OneView Global Dashboard.

PulseSecure Advisory - PulseSecure published an advisory describing an integer overflow or wrap around vulnerability in multiple product lines.

QNAP Advisory - QNAP published an advisory describing two cross-site scripting vulnerabilities in their NAS running Proxy Server.

Siemens Advisory - Siemens published an advisory discussing 23 vulnerabilities in their Industrial Products.

VMware Advisory - VMware published an advisory describing a cross-site scripting vulnerability in their Workspace ONE Boxer.

Aruba Update - Aruba published an update for their PwnKit advisory that was originally published on February 1^st, 2022.

Dell Update - Dell published an update for their generic Log4Shell  advisory.

HPE Update - HPE published an update for their PwnKit advisory that was originally published on February 1^st 2022.

Johnson Controls Update - Johnson Controls published an update for their Log4Shell advisory.

Milestone Update - Milestone published an update for their Log4Shell advisory.

WECON Reports - The Zero Day Initiative published 15 reports of vulnerabilities in the WECON LeviStudioU.

Fuji Reports - ZDI published 3 reports of vulnerabilities in the Fuji Electric Alpha5 servo amplifiers.

ICL Report - Zero Science published a report describing a file write/overwrite and delete vulnerability in the ICL ScadaFlex II SCADA Controllers SC-1/SC-2.

ICL Exploit - LiquidWorm published an exploit for the ICL vulnerability reported above.

WebHMI Exploit #1 - Antonio Cuomo published an exploit for a remote code execution vulnerability in WebHMI version 4.1.1.

WebHMI Exploit #2 - Antonio Cuomo published an exploit for cross-site scripting vulnerability in WebHMI 4.1.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports, and exploits – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-762 - subscription required.