Review – Public ICS Disclosure – Week of 7-23-22- Part 1

It is a fairly busy summer week for disclosures.  In Part 1 this week we have thirteen vendor disclosures from ABB, Aruba Networks, Broadcom (2), CONTEC, Dell, Hitachi Energy (2), HPE, Meinberg, Software Toolbox, Western Digital, and Yokogawa. We will have vendor updates, researcher reports, and new exploits in Part 2.

ABB Advisory - ABB published an advisory that describes three vulnerabilities in their Ability™ Operations Data Management Zenon.

Aruba Advisory - Aruba published an advisory that describes a sensitive information disclosure vulnerability in their Aruba Virtual Intranet Access application.

Broadcom Advisory #1 - Broadcom published an advisory that describes a path traversal vulnerability in their Brocade Fabric OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses the RETbleed vulnerabilities.

CONTEC Advisory - JP CERT published an advisory that describes a file upload vulnerability in the CONTEC SolarView Compact product.

Dell Advisory - Dell published an advisory that discusses an allocation of resources without limits or throttling vulnerability in their Data Protection Advisor.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a classic buffer overflow vulnerability in their AFF660/665 series product web server.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses two vulnerabilities (one with known exploit) in their Lumada Asset Performance Management (APM) Edge product.

NOTE: According to NVD.NIST.gov the first vulnerability is listed on CISA's Known Exploited Vulnerabilities (KEV) Catalog list.

HPE Advisory - HPE published an advisory that describes eleven vulnerabilities in their Integrated Lights-Out 5 firmware.

Meinberg Advisory - Meinberg published an end-of-life announcement for their LANTIME Operating System Version 6, effective January 1^st, 2023.

Software Toolbox Advisory - Software Toolbox published an advisory that discuses an out-of-bounds write vulnerability with known exploits.

Western Digital Advisory #1 - Western Digital published an advisory that describes four cryptographic processing vulnerabilities in their Sweet B cryptographic library.

Western Digital Advisory #2 - Western Digital published an advisory that discusses eight vulnerabilities (six with known exploits) in their My Cloud OS 5 firmware.

Yokogawa Advisory - Yokogawa published an advisory that describes a resource management error vulnerability in their CENTUM controller FCS.

 

For more details on these advisories, including links to 3^rd-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-7-23 - subscription required.