Review – Public ICS Disclosures – Week of 7-16-22

This week we have ten vendor disclosures from Dell, Eaton, Flexera, Honeywell, HP, HPE (2), Rockwell, and SonicWall. We also have four vendor updates from Aruba Networks (2), Fujitsu, and HP. Finally, we have one researcher report for products from Schneider Electric.

Dell Advisory - Dell published an advisory that discusses 28 vulnerabilities (two with known exploits) in their Wyse Management Suite.

Eaton Advisory - Eaton published an advisory that describes an unrestricted file upload vulnerability in their Foreseer software.

Flexera Advisory - Flexera published an advisory that discusses the log4j remote code execution vulnerability (CVE-2021-44832).

Honeywell Advisory - Honeywell published an end-of-life notice for their equIP® Series IP Cameras, Performance Series IP and HQA Cameras, and Performance Series NVRs, and DVR.

HP Advisory - HP published an advisory that discusses seven vulnerabilities in their UEFI Secure Boot Database.

HPE Advisory #1 - HPE published an advisory that describes a disclosure of sensitive information vulnerability in their OneView product.

HPE Advisory #2 - HPE published an advisory that discusses an endless loop vulnerability in their NonStop products.

Rockwell Advisory - Rockwell published an advisory that discusses the SpringShell vulnerability in their FactoryTalk Analytics DataView product.

SonicWall Advisory - SonicWall published an advisory that describes an SQL injection vulnerability in their GMS AND Analytics products.

Aruba Update #1 - Aruba published an update for their OpenSSL advisory that was originally published on May 4^th, 2022 and most recently updated on June 1^st, 2022.

Aruba Update #2 - Aruba published an update for their Expat XML advisory that was originally published on May 17^th, 2022 and most recently updated on July 7^th, 2022.

Fujitsu Update - Fujitsu published an update for their ETERNUS CS8000 advisory that originally published on June 1^st, 2022.

HP Update - HP published an update for their Jumpstart advisory that originally published on May 10^th, 2022.

Schneider Report - Zero Science Labs published a report describing an OS command injection vulnerability in the Schneider SpaceLogic C-Bus Home Automation System.

 

For more details on these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-c9a - subscription required.