Review – Public ICS Disclosures – Week of 4-16-22

This week we have seventeen vendor disclosures from ABB, Bosch, Dell, Eaton (2), Hitachi Energy, HP, HPE (2), Moxa, QNAP (3), Siemens, Sick, Software Toolbox, and Tanzu. We also have two vendor updates from Johnson Controls and VMware. Finally, there is a researcher report on vulnerabilities in products from Jinan USR IOT.

ABB Advisory - ABB Published an advisory discussing the INCONTROLLER ICS attack tools.

Bosch Advisory - Bosch published an advisory discussing 25 3^rd-party vulnerabilities (six with known exploits) in their ctrlX CORE XCR applications.

Dell Advisory - Dell published an advisory discussing two 3^rd-party vulnerabilities (1 known exploit) in their Wyse Management Suite (WMS) and Dell Wyse Management Suite Repository products.

Eaton Advisory #1 - Eaton published an advisory discussing the SpringShell vulnerabilities.

Eaton Advisory #2 - Eaton published an advisory discussing the INCONTROLLER ICS attack tools.

Hitachi Energy Advisory - Hitachi Energy published an advisory describing an input validation vulnerability in their RTU500 series.

HP Advisory - HP published an advisory discussing the BrakTooth vulnerabilities in a variety of their notebook and laptop products.

HPE Advisory #1 - HPE published an advisory describing a security bypass vulnerability in their Nimble Storage flash arrays.

HPE Advisory #2 - HPE published an advisory describing an infinite loop vulnerability in their IceWall Products.

Moxa Advisory - Moxa published an advisory discussing the SpringShell vulnerability.

QNAP Advisory #1 - QNAP published an advisory discussing two vulnerabilities in their QNAP NAS products.

QNAP Advisory #2 - QNAP published an advisory discussing four recently reported Internet Services Consortium (ISC) Bend vulnerabilities.

QNAP Advisory #3 - QNAP published an advisory discussing two recently reported Apache Struts vulnerabilities.

Siemens Advisory - Siemens published an advisory discussing the SpringShell vulnerability.

Sick Advisory - Sick published an advisory discussing two 3^rd-party, improper input validation vulnerabilities in their MARSIC300 ship emissions measuring device.

Software Toolbox Advisory - Software Toolbox published an advisory discussing the INCONTROLLER ICS attack tools.

Tanzu Advisory - Tanzu published an advisory describing a resource exhaustion vulnerability in their Spring Security OAuth.

Johnson Controls Update - Johnson Controls published an update for their Log4Shell advisory.

VMware Update - VMware published an update for their VMware Horizon Agent advisory that was originally published on April 6^th, 2022.

Jinan USR IOT Report - Zero Science published a report on a root backdoor vulnerability (exploit available) in the Jinan USR IOT 4G LTE Industrial Cellular VPN Router.

For more details on these disclosures, including links to 3^rd-party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-28f - subscription required.