Review – Public ICS Disclosures – Week of 4-30-22 – Part 1

Another busy week requiring a two part post. In Part 1 this week we have 19 vendor disclosures from Aruba Networks (3), Aveva, Axis, Belden (3), Bosch, Broadcom (8), Emerson, and TRUMPF.

Aruba Advisory #1 - Aruba published an advisory discussing an infinite loop vulnerability in multiple products. This is a third-party (OpenSSL) vulnerability.

Aruba Advisory #2 - Aruba published an advisory describing 21 vulnerabilities in their ClearPass Policy Manager.

Aruba Advisory #3 - Aruba published an advisory discussing the TLStorm 2.0 vulnerabilities.

Aveva Advisory - Aveva published an advisory describing an exposure of resource to wrong sphere vulnerability in their  InTouch Access Anywhere and Plant SCADA Access Anywhere products.

Axis Advisory - Axis published an advisory discussing two vulnerabilities (with one known exploit available) in their AXIS P7701 Video Decoder.

Belden Advisory #1 - Belden published an advisory discussing eight vulnerabilities (two with known exploits) in their Provize Basic Frontend.

Belden Advisory #2 - Belden published an advisory discussing two vulnerabilities (one with known exploit) in their Provize Basic Backend.

Belden Advisory #3 - Belden published an advisory discussing an uncontrolled resource consumption vulnerability (with a known exploit) in their Provize Basic product.

Bosch Advisory - Bosch published an advisory discussing five vulnerabilities in their PLC applications of the control systems ctrlX CORE, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD systems.

Broadcom Advisory #1 - Broadcom published an advisory discussing a link following vulnerability in their Brocade SANnav product.

Broadcom Advisory #2 - Broadcom published an advisory discussing an improper input validation vulnerability (with a known exploit) in their Brocade SANnav product.

Broadcom Advisory #3 - Broadcom published an advisory discussing a deserialization of untrusted data vulnerability in their Brocade SANnav product.

Broadcom Advisory #4 - Broadcom published an advisory describing an information exposure vulnerability in their Brocade SANnav product.

Broadcom Advisory #5 - Broadcom published an advisory describing a plain-text storage of sensitive information vulnerability in their Brocade SANnav product.

Broadcom Advisory #6 - Broadcom published an advisory describing a SQL injection vulnerability in their Brocade SANnav product.

Broadcom Advisory #7 - Broadcom published an advisory describing an inadequate password encryption vulnerability in their Brocade SANnav product.

Broadcom Advisory #8 - Broadcom published an advisory describing a role-based access control vulnerability in their Brocade SANnav product.

Emerson Advisory - Emerson published an advisory discussing two vulnerabilities in their AVENTICS AF2 Series flow sensors.

TRUMPH Advisory - CERT-VDE published an advisory describing a missing authentication for critical function vulnerability in the TRUMPF TruTops products.

 

For more details on these advisories, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-c2b - subscription required.