Review – Public ICS Disclosure – Week of 10-29-22

This week we have twelve vendor disclosures about the recent OpenSSL vulnerabilities from Aruba Networks, Broadcom, Keysight, Milestone, Moxa, Palo Alto Networks, Roche, Rockwell Automation, Software Toolbox, Watchguard, and Wind River.   We also have twelve other vendor disclosures from Belden, Hitachi, Insyde (6), Sick, and Tanzu (3). There are six vendor updates for products from CODESYS. Finally, we have two exploits for products from FLIR, and Veeder-Root.

OpenSSL Vulnerabilities Disclosures

Aruba reports that none of their products are affected by the vulnerabilities.

Broadcom provides a list of unaffected products.

Dell reports that they are reviewing their products to see which may be affected by the vulnerabilities.

Keysight reports that none of their products are affected by the vulnerabilities.

Milestone reports limited impact in their XProtect VMS 2022 R3. An update is pending.

Moxa reports that none of their products are affected by the vulnerabilities.

Palo Alto Networks reports that earlier versions of Cortex XDR Broker VM contain the affected OpenSSL version but are not affected by the vulnerabilities. Other products are not affected.

Roche reports that none of their products are affected by the vulnerabilities.

Rockwell reports that they are reviewing their products to see which may be affected by the vulnerabilities.

Software Toolbox reports that none of their products are affected by the vulnerabilities.

Watchguard provides a list of unaffected products.

Wind River provides a list of affected products. Fixes are pending.

Other Vendor Disclosures

Belden Advisory - Belden published an advisory that describes a command insertion vulnerability in their (Hirschmann) Industrial HiVision product.

Hitachi Advisory - Hitachi published an advisory that discusses 60 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities

Insyde Advisory #1 - Insyde published an advisory that discusses an observable discrepancy vulnerability in their InsydeH2O product.

Insyde Advisory #2 - Insyde published an advisory that discusses two vulnerabilities in their InsydeH2O product.

Insyde Advisory #3 - Insyde published an advisory that discusses an out-of-bounds read vulnerability in their InsydeH2O product.

Insyde Advisory #4 - Insyde published an advisory that describes a stack-based buffer overflow vulnerability in their InsydeH2O product.

Insyde Advisory #5 - Insyde published an advisory that describes a stack-based buffer overflow in their InsydeH2O product.

Insyde Advisory #6 - Insyde published an advisory that describes a stack-based buffer overflow in their InsydeH2O product.

Sick Advisory - Sick reports a denial of service vulnerability in their FlexiCompact product.

NOTE: The Sick PSIRT web page continues to have problems with inoperable links.

Tanzu Advisory #1 - Tanzu published an advisory that describes a privilege escalation vulnerability in their pring-security-oauth2-client.

Tanzu Advisory #2 - Tanzu published an advisory that describes an authorization bypass vulnerability in their Spring Security product.

Tanzu Advisory #3 - Tanzu published an advisory that describes a remote code execution vulnerability in their Spring Tools 4 for Eclipse product.

CODESYS Update #1 - CODESYS published an update for their CODESYS communication server advisory that was originally published on May 19^th, and most recently updated on October 6^th, 2022.

CODESYS Update #2 - CODESYS published an update for their V3 web server advisory that was originally published on March 24^th, 2022 and most recently updated on June 30^th, 2022.

CODESYS Update #3 - CODESYS published an update for their a CODESYS communication server advisory that was originally published on March 24^th, 2022 and most recently updated on June 30^th, 2022.

CODESYS Update #4 - CODESYS published an update for their Control V3 online user management advisory that was originally published on March 24^th, 2022 and most recently updated on June 30^th 2022.

CODESYS Update #5 - CODESYS published an update for their V3 products using the CODESYS communication protocol advisory that was originally published on March 24^th, 2022 and most recently updated on June 30^th, 2022.

CODESYS Update #6 - CODESYS published an update for their Control V3 configuration file advisory that was originally published on March 24th, 2022, and most recently updated on October 6^th, 2022.

Exploits

FLIR Exploit - Samy Younsi published a Metasploit module for a command injection vulnerability in the FLIR AX8 infrared monitoring camera.

Veeder-Root Exploit - Rose Security published an exploit for a remote configuration disclosure vulnerability in the Veeder-Rood (and probably other vendor) automated tank gauges.

 

For more details about these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-10-c49 - subscription required.