Review – Public ICS Disclosures – Week of 3-26-22 – Part 1

Another busy week. This week, for Part 1 we have fifteen vendor disclosures from Bosch, Braun, Broadcom (2), Carrier, GE Gas Power, Hitachi, Hitachi Energy, HPE, Mitsubishi, Palo Alto Networks (2), Philips (2), and Phoenix Contact.

Bosch Advisory - Bosch published an advisory describing two stack-based buffer overflows in the recovery image process in their CPP Firmware.

Braun Advisory - Braun published an advisory discussing the PaloAlto Networks report on infusion pump vulnerabilities.

Broadcom Advisory #1 - Broadcom published an advisory discussing the 23 reported vulnerabilities in Insyde's H2O UEFI firmware.

Broadcom Advisory #2 - Broadcom published an advisory describing an inadequate cryptographic key implementation vulnerability in their Brocade Fabric OS (FOS) for older generation platforms.

Carrier Advisory - Carrier published an advisory discussing the LAPSUS$ attack on Octa.

GE Advisory - GE published an advisory discussing the SpringShell vulnerabilities.

Hitachi Advisory - Hitachi published an advisory discussing 31 vulnerabilities in their Disk Array products.

Hitachi Energy Advisory - Hitachi Energy published an advisory discussing the Spring4Shell vulnerabilities.

HPE Advisory - HPE published an advisory describing four vulnerabilities in the HPE OneView product.

Mitsubishi Advisory - Mitsubishi published an advisory discussing the Log4Shell vulnerabilities in their CC-Link IE TSN Configurator.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory discussing an infinite loop vulnerability in their PAN-OS products.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory discussing the Spring4Shell vulnerabilities.

Philips Advisory #1 - Philips published an advisory discussing six vulnerabilities in their IntelliVue XDS and VuePACS products.

Philips Advisory #2 - Philips published an advisory discussing an authentication bypass by spoofing vulnerability.

Phoenix Contact Advisory - Phoenix Contact published and advisory discussing 15 vulnerabilities (2 with known exploits) in their PROFINET SDK.

 

For more information on these disclosures, including links to researcher reports, 3^rd-party vendor advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-113 - subscription required.