This week we have an OpenSSL
3.0 advisory from Dell. We have seven vendor disclosures from Carrier, Contec,
GE Grid Solutions, Meinberg, Omron, and PulseSecure (2). We also have three
vendor updates from CODESYS, HPE, and PcVue. Finally, we have 16 researcher
reports for products from Siretta (14), Zyxel, and Delta Electronics.
Open SSL 3.0 Advisories
Dell published an
advisory that discusses the OpenSSL 3.0 vulnerabilities.
Vendor Advisories
Carrier Advisory -
Carrier published an
advisory that discusses multiple authentication bypass vulnerabilities in
their WebCTRL® and i-Vu® software.
Contec Advisory - Contec published an
advisory that describes an SQL injection vulnerability in the Contec CONPROSYS
HMI System.
GE Grid Solutions Advisory - GE Grid Solutions
published an
advisory for their DS Agile Distributed Control System.
Meinberg Advisory - Meinberg published an
advisory that discusses eight vulnerabilities in their LANTIME product.
Omron Advisory - JP Cert published an advisory that describes
an improper restriction of an XML entity reference vulnerability in the OMRON
CX-Motion Pr.
PulseSecure Advisory #1 - PulseSecure published an
advisory that discusses a use-after-free vulnerability.
PulseSecure Advisory #2 - PulseSecure published an
advisory that discusses a double free vulnerability.
Vendor Updates
CODESYS Update - CODESYS published an
update for their Control V3 communication server advisory that was originally
published on November 22nd, 2022 and most
recently updated on December 14th, 2022.
HPE Update - HPE published an
update for their IceWall advisory that was originally published on March 9th,
2018 and most recently updated on May 26th, 2021.
PcVue Update - PcVue published an
update for their email and SMS accounts advisory that was originally
published on November 25th, 2022 and most
recently updated on December 20th, 2022.
NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-354-03)
to reflect this information.
Researcher Reports
Siretta Report #1 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing 46 stack-based
buffer overflow vulnerabilities.
Siretta Report #2 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a directory
traversal vulnerability.
Siretta Report #3 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing four command
injection vulnerabilities.
Siretta Report #4 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a
heap-based buffer overflow vulnerability.
Siretta Report #5 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a file
write vulnerability.
Siretta Report #6 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a leftover
debug code vulnerability.
Siretta Report #7 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing an OS
command injection vulnerability.
Siretta Report #8 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing an OS
command injection vulnerability.
Siretta Report #9 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing an OS
command injection vulnerability.
Siretta Report #10 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a
stack-based buffer overflow vulnerability.
Siretta Report #11 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a directory
traversal vulnerability.
Siretta Report #12 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing an OS
command injection vulnerability.
Siretta Report #13 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a directory
traversal vulnerability.
Siretta Report #14 - Talos published a
report for the Siretta QUARTZ-GOLD industrial router describing a
stack-based buffer overflow vulnerability.
Zyxel Report - Positive Technologies published a
report describing an improper check for unusual or exceptional conditions
vulnerability in Zyxel switches.
Delta Report - Tenable published a report
describing a privilege escalation vulnerability in the Delta Electronics
InfraSuite Device Master.
For more details about these disclosures, including links to
third-party advisories and exploits, see my article at CFSN Detailed Analysis -
https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-e09
- subscription required.