Review – Public ICS Disclosure – Week of 10-1-22

This week we have six vendor disclosures from Bentley (3), Hitachi, strongSwan, VMware. We also have seven vendor updates from CODESYS. Finally, we have two researcher reports with exploits for products from ZKSecurity.

Bentley Advisory #1 - Bentley published an advisory that describes an out-of-bounds read vulnerability in their MicroStation and MicroStation-based applications.

Bentley Advisory #2 - Bentley published an advisory that describes two vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #3 - Bentley published an advisory that describes two vulnerabilities in their MicroStation and MicroStation-based applications.

Hitachi Advisory - Hitachi published an advisory that discusses 39 vulnerabilities in their Disk Array Systems.

StrongSwan Advisory - StrongSwan published an advisory describing a trust chain vulnerability in their strongSwan product.

VMware Advisory - VMware published an advisory that describes two vulnerabilities in their VMware ESXi and vCenter Server products.

CODESYS Update #1 - CODESYS published an update for their CODESYS V3 Visualization advisory that was originally published on June 3^rd, 2022.

CODESYS Update #2 - CODESYS published an update for their CODESYS V2 password transport advisory that was originally published on June 9th, 2022 and most recently updated on June 23^rd, 2022.

CODESYS Update #3 - CODESYS published an update for their CODESYS OPC DA Server V3 advisory that was originally published on May 19^th, 2022 and most recently updated on June 3^rd, 2022.

CODESYS Update #4 - CODESYS published an update for their CODESYS communication server advisory that was originally published on May 19^th, and most recently updated on June 3^rd, 2022.

CODESYS Update #5 - CODESYS published an update for their CODESYS Control V3 configuration file access advisory that was originally published on March 24th, 2022, and most recently updated on June 30^th, 2022.

CODESYS Update #6 - CODESYS published an update for their CODESYS Git advisory that was originally published on November 30^th, 2021.

CODESYS Update #7 - CODESYS published an update for their CODESYS V2 web server that was originally published on October 25, 2021 and most recently updated on November 8^th, 2022.

ZKSecurity Report #1 - Stolabs published a report that describes an SQL injection vulnerability in the ZKSecurity Bio product.

ZKSecurity Report #2 - Caio B published a report that describes an access control vulnerability in the ZKSecurity Bio product.

 

For more details about these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-10-0f6 - subscription required.