Review – Public ICS Disclosures – Week of 5-21-22 – Part 1

This has been a fairly busy disclosure week which will require two parts to list completely. For Part 1 we have seventeen vendor disclosures from ABB, CONTEC, Fuji Electric (2), HPE (2), Meinberg, Open Automation, QNAP (2), VMware (2), Western Digital, Xylem (3), and Yokogawa.

ABB Advisory - ABB published an advisory that describes two vulnerabilities in their e-Design product.

CONTEC Advisory - JP CERT published an advisory that describes an OS command injection vulnerability (with publicly available exploit) in the CONTEC SolarView Compact.

Fuji Advisory #1 - JP CERT published an advisory that describes five vulnerabilities in the Fuji V-SFT product.

Fuji Advisory #2 - JP CERT published an advisory that describes three vulnerabilities in the Fuji V-SFT, V-Server and V-Server Lite products.

HPE Advisory #1 - HPE published an advisory that describes an escalation of privilege vulnerability in their Version Control Repository Manager Installer.

HPE Advisory #2 - HPE published an advisory that discusses the Psychic Signatures vulnerability in their IceWall Products.

NOTE: This is going to be an interesting third-party vulnerability. The researcher report is well worth reading.

Meinberg Advisory - Meinberg published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their LANTIME Firmware.

Open Automation Advisory - Incibe CERT published an advisory that describes eight vulnerabilities in the Open Automation Software OAS Platform.

QNAP Advisory #1 - QNAP published an advisory that describes a cross-site request forgery vulnerability in their NAS running Proxy Server.

QNAP Advisory #2 - QNAP published an advisory that discusses four OpenSSL vulnerabilities.

VMware Advisory #1 - VMware published an advisory that describes an XML external entity vulnerability (with publicly available exploit) in their VMware Tools for Windows product.

VMware advisory #2 - VMware published an advisory that describes two vulnerabilities in their VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

Western Digital Advisory - Western Digital published an advisory that discusses an improper authentication vulnerability in their My Cloud OS 5 Firmware.

Xylem Advisory #1 - Xylem published an advisory that discusses the CISA Emergency Directive (ED) 22-03.

Xylem Advisory #2 - Xylem published an advisory that discusses an improper verification of cryptographic signature vulnerability in their Xylem Edge Gateway.

Xylem Advisory #3 - Xylem published an advisory that describes an improper authentication vulnerability in the Sensus Analytics Login Service of their Utility Portal application.

Yokogawa Advisory - Yokogawa published an advisory that describes a violation of secure design principles vulnerability in their CAMS for HIS products.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-017 - subscription required.