Review - Public ICS Disclosures – Week of 3-12-22

A relatively slow week. This week we have nine vendor disclosures from Belden, Bosch, Draeger, Eaton, GE Healthcare, Johnson Controls, QNAP, Spacelabs, and Xylem. There are also four vendor updates from Carestream, FANUC, VMware, and Yokogawa. We also have two researcher reports for products from Leadtools and Broadcom. Finally we have an exploit published for products from Hikvision.

Belden Advisory - Belden published an advisory discussing the FragAttacks WiFi vulnerabilities.

Bosch Advisory - Bosch published an advisory discussing an improper restriction of XML external entity reference in their Bosch Video Management Software (BVMS) products.

Draeger Advisory - Draeger published an advisory discussing the DirtyPipe vulnerability.

Eaton Advisory - Eaton published an advisory discussing the TLStorm vulnerabilities.

GE Healthcare Advisory - GE Health care published an advisory discussing the Dirty Pipe vulnerability.

Johnson Controls Advisory - Johnson Controls published an advisory describing a code injection vulnerability in their Metasys ADS/ADX/OAS Servers.

QNAP Advisory - QNAP published an advisory discussing the Dirty Pipe vulnerability. QNAP lists affected and non-affected products.

Spacelabs Advisory - Spacelabs published an advisory discussing the Access:7 vulnerabilities.

Xylem Advisory - Xylem published an advisory discussing two vulnerabilities in their Aquaview product.

Carestream Update - Carestream published an update for their Access:7 advisory that was originally published on March 8^th, 2022.

FANUC Update - FANUC published an update for their Robot Controllers advisory that was originally published on December 16^th, 2021.

VMware Update - VMware published an update for their NSX Data Center advisory that was originally published on February 15^th, 2022.

Yokogawa Update - Yokogawa published an update for their CENTUM advisory that was originally published on March 10^th, 2022.

Leadtools Report - Talos published a report describing an integer overflow or wraparound vulnerability in Leadtools 22.

Broadcom Report - Black Lantern Security published a report about two vulnerabilities in the Broadcom Brocade Fabric OS.

Hikvision Exploit - Sobhan Mahmoodi published an exploit for an authentication bypass vulnerability in Hikvision IP Cameras.

 

For more details about these disclosures, including links to 3rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-d15 - subscription required.