Review – Public ICS Disclosures – Week of 6-11-22 – Part 2

For Part 2 we have nine vendor disclosures from Dell and Schneider (8). We also have four vendor updates for products from Fujitsu, Dell, HP, and HPE. We also have three researcher reports for products from Bachmann Visutec, Blynk, and Nexans. Part 3 tomorrow will cover Schneider and Siemens updates.

Dell Advisory - Dell published an advisory that discusses the SpringShell vulnerabilities.

Schneider Advisory #1 - Schneider published an advisory that describes two vulnerabilities in their EcoStruxure™ Cybersecurity Admin Expert.

Schneider Advisory #2 - Schneider published an advisory that describes an improper restriction of operations within the bounds of a memory buffer in their CanBRASS design and costing tool.

Schneider Advisory #3 - Schneider published an advisory that describes two vulnerabilities in their C-Bus Home Automation Products.

Schneider Advisory #4 - Schneider published an advisory that describes three vulnerabilities in their EcoStruxure Power Commission software.

Schneider Advisory #5 - Schneider published an advisory that describes three vulnerabilities in their Conext™ Combox communications and monitoring device.

Schneider Advisory #6 - Schneider published an advisory that describes an exposure of resource to wrong sphere vulnerability in their Geo SCADA Mobile application.

Schneider Advisory #7 - Schneider published an advisory that describes eight vulnerabilities in their Interactive Graphical SCADA System (IGSS).

Schneider Advisory #8 Schneider published an advisory that describes four vulnerabilities in their Data Center Expert product.

NOTE: This advisory was updated on June 16^th, 2022. The new information included updating affected version information and clarification of fixed versions.

Fujitsu Update - JPCert published an update for the FUJITSU Network IPCOM advisory that was originally published on  May 19^th, 2022 and most recently updated on June 10^th, 2022.

Dell Update - Dell published an update for their Log4Shell advisory.

HP Update - HP published an update for their Wireless Bluetooth advisory that was originally published on February 8^th, 2022.

HPE Update - HPE published an update for their Synergy Servers advisory that was originally published on May 10^th, 2022 and most recently updated on May 31^st, 2022.

Bachmann Report - Talos published a report describing an information disclosure vulnerability in the Bachmann Atvise SCADA registration function.

Blynk Report - Talos published a report describing a stack-based buffer overflow vulnerability in the Blynk-Library.

Nexans Report - SEC Consult published a report describing the four vulnerabilities in the Nexans FTTO GigaSwitch series due to using outdated software components.

 

For more details about these disclosures, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-af5 - subscription required.