Review – Public ICS Disclosures – Week of 3-5-22 – Part 1

It has been a busy week, even without the 2^nd Tuesday disclosures. This will be a three-part report. This week we have thirteen vendor disclosures from Boston Scientific, Broadcom, Carestream, WAGO, Draeger, Eaton (4), GE Gas Power, Genetec, Hitachi Energy, and Johnson Controls.

Boston Scientific Advisory - Boston Scientific published an advisory discussing the Access:7 vulnerabilities.

Broadcom Advisory - Broadcom published an advisory discussing the DirtyPipe vulnerability.

Carestream Advisory - Carestream published an advisory discussing the Access:7 vulnerabilities.

Ecava Advisory - Incibe CERT published an advisory discussing eight vulnerabilities in the Ecava IntegraXor.

WAGO Advisory - VDE CERT published an advisory describing a cross-site scripting vulnerability in various WAGO PLCs.

Draeger Advisory - Draeger published an advisory discussing the PwnKit vulnerability.

Eaton Advisory #1 - Eaton published an advisory describing a cross-site scripting vulnerability in their Intelligent Power Manager.

Eaton Advisory #2 - Eaton published an advisory describing a cross-site scripting vulnerability in their Intelligent Power Manager.

Eaton Advisory #3 - Eaton published an advisory describing a cross-site scripting vulnerability int heir Intelligent Power Manager.

Eaton Advisory #4 - Eaton published an advisory describing a cross-site scripting vulnerability int heir Intelligent Power Manager.

GE Gas Power Advisory - GE Gas Power published an advisory discussing the Russia-Ukraine situation.

Genetec Advisory - Genetec published an advisory describing a privilege escalation vulnerability in the Authentication Service role in their Security Center product.

Hitachi Energy Advisory - Hitachi Energy published an advisory describing seven vulnerabilities (two with published exploits) in their RelCare product.

Johnsons Controls Advisory - Johnson Controls published an advisory discussing a deserialization of untrusted data vulnerability in their DSC PowerManage product.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3 - subscription required.