Review – Public ICS Disclosures – Week of 9-10-22 – Part 2

For Part 2 we have fifteen vendor updates from HPE, Schneider (12), and Siemens (2). We also have a researcher report of vulnerabilities in products from ETAP. Finally, we have an exploit reported for products from Palo Alto Networks.

HPE Update - HPE published an update for their HPE Integrated Lights-Out 5 advisory that was originally published on July 28^th, 2022 and most recently updated on September 6^th, 2022.

Schneider Update #1 - Schneider published an update for their Modicon Controllers advisory that was originally published on May 14^th, 2019 and most recently updated on December 8^th, 2020.

Schneider Update #2 - Schneider published an update for their embedded FTP servers advisory that was originally published on March 22^nd, 2018 and most recently updated on September 6^th, 2022.

Schneider Update #3 - Schneider published an update for their Urgent/11 advisory that was  originally published on August 2^nd, 2019 and most recently updated on May 11^th, 2021.

Schneider Update #4 - Schneider published an update for their Modicon Web Server advisory that was originally published on November 10^th, 2020 and most recently updated on August 10^th, 2021.

Schneider Update #5 - Schneider published an update for their Modicon Web Server advisory that was originally published on December 8^th, 2020 and most recently updated on May 11^th, 2021.

Schneider Update #6 - Schneider published an update for their Modicon Web Server advisory that was originally published on December 8^th, 2020.

Schneider Update #7 - Schneider published an update for their SNMP Service advisory that was originally published on December 12^th, 2020 and most recently updated on February 9^th, 2022.

Schneider Update #8 - Schneider published an update for their for their INFRA:HALT advisory that was originally published on August 5^th, 2021 and most recently updated on February 8^th, 2022.

Schneider Update #9 - Schneider published an update for their Modicon Web Server advisory that was originally published on September 14^th, 2021.

Schneider Update #10 - Schneider published an update for their for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on August 9^th, 2022.

Schneider Update #11 - Schneider published an update for their Modicon M340 Controller advisory that was originally published on April 12^th, 2022.

Schneider Update #12 - Schneider published an update for their Modicon PAC Controller advisory that was originally published on August 9^th, 2022.

Siemens Update #1 - Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on August 9^th, 2022.

Siemens Update #2 - Siemens published an update for their for their JT2Go and Teamcenter advisory that was originally published on August 9^th, 2022.

ETAP Report - Zero Science Lab published a report that describes a reflected cross-site scripting vulnerability (with a known exploit) in the ETAP Safety Manager.

 

For more information about these disclosures, including a summary of changes made in the updates, see my article at CFSN Detail Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-44d - subscription required.