Sunday, October 16, 2022

Review – Public ICS Disclosures – Week of 10-8-22 – Part 2

For Part 2 this week we have five additional vendor disclosures from Schneider (4), and WAGO. We also have sixteen updates from Fanuc, HPE, Omron (2), Schneider (8), and Siemens (4). We have nine researcher reports for products from CCCERT (2), Robustel (6), and VMware.

Schneider Advisory #1 - Schneider published an advisory that describes six vulnerabilities in their EcoStruxure™ Operator Terminal Expert and Pro-face BLUE products.

Schneider Advisory #2 - Schneider published an advisory that discusses two vulnerabilities (one with known exploit) in their EcoStruxure Panel Server Box (PAS900).

Schneider Advisory #3 - Schneider published an advisory that discusses two vulnerabilities in their SAGE RTU products.

Schneider Advisory #4 - Schneider published an advisory that describes an improper input validation vulnerability in their s EcoStruxure™ Power Operation and Power SCADA Operation software.

WAGO Advisory - CERT-VDE published an advisory that describes an uncontrolled resource consumption vulnerability in the FTP server in WAGO 750 series controllers.

Fanuc Update - Fanuc published an update for their ROBOGUIDE advisory that was originally published on April 8th, 2022 and most recently updated on June 29th, 2022.

HPE Update - HPE published an update for their Integrated Lights-Out 5 that was originally published on September 15th, 2022.

Omron Update #1 - Omron published an update for their NJ/NXseries Machine Automation Controllers advisory that was originally published on July 1st, 2022.

Omron Update #2 - Omron published an update for their NJ/NXseries Machine Automation Controllers advisory that was originally published on July 1st, 2022.

Schneider Update #1 - Schneider published an update for their Log4Shell advisory.

Schneider Update #2 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 9th, 2022 and most recently updated on September 6th, 2022.

Schneider Update #3 - Schneider published an update for their EcoStruxureTM Control Expert advisory that was originally published on August 9th, 2022 and most recently updated on September 6th, 2022.

Schneider Update #4 - Schneider published an update for their EcoStruxureTM Control Expert advisory that was originally published on July 13th, 2021 and most recently updated on September 6th, 2022.

Schneider Update #5 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 10th, 2021 and most recently updated on September 6th, 2022.

Schneider Update #6 - Schneider published an update for their BadAlloc advisory that was originally published on November 9th, 2021 and most recently updated on September 13th, 2022.

Schneider Update #7 - Schneider published an update for their Modicon Controllers advisory that was originally published on September 26th, 2019 and most recently updated on September 6th, 2022.

Schneider Update #8 - Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22nd, 2018 and most recently updated on September 13th, 2022.

Siemens Update #1 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on September 13th, 2022.

Siemens Update #2 - Siemens published an update for their Insyde BIOS advisory that was originally published on February 22nd, 2022 and most recently updated on August 9th, 2022.

Siemens Update #3 - Siemens published an update for their SpringShell advisory that was originally published on April 19th, 2022 and most recently updated on June 14th, 2022.

Siemens Update #4 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on August 9th, 2022.

CCCERT Report #1 - BDU published a report of an open redirect vulnerability in the CCCERT VINCE program.

CCCERT Report #2 - BDU published a report of an open redirect vulnerability in the CCCERT VINCE program.

NOTE: The CCCERT VINCE program is the vulnerability reporting program run by CCCERT and used by NCCIC-ICS.

Robustel Report #1 - TALOS published a report discussing a command injection vulnerability in the Robustel R1510 Lite Industrial IoT Gateway.

Robustel Report #2 - TALOS published a report describing eleven denial of service vulnerabilities in the Robustel R1510.

Robustel Report #3 - TALOS published a report describing a firmware update vulnerability in the Robustel R1510. The report contains proof-of-concept code.

Robustel Report #4 - TALOS published a report describing a directory traversal vulnerability in the Robustel R1510. The report contains proof-of-concept code.

Robustel Report #5 - TALOS published a report discussing an OS command injection vulnerability in the Robustel R1510.

Robustel Report #6 - TALOS published a report discussing an OS command injection vulnerability in the Robustel R1510. The report contains proof-of-concept code.

VMware Report - TALOS published a report describing a deserialization of untrusted data vulnerability in the VMware vCenter Server Platform Services.

 

For more details on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-8b0 - subscription required.


No comments:

 
/* Use this with templates/template-twocol.html */