Review: Public ICS Disclosures – Week of 1-7-23 – Part 1

This is a moderately busy Saturday after Cyber Tuesday. For Part 1 this week we have seventeen vendor disclosures from GE Grid Solutions (8), HP, HPE, Moxa, Omron (2), WAGO, Westermo, and Western Digital (2). We also have two vendor updates from BD and HPE. I will look at the Schneider and Siemens advisories and updates in Part 2.

Vendor Advisories

GE Grid Advisories - GE Grid Solutions published eight advisories this week. The advisories are only available to registered users.

HP Advisory - HP published an advisory that discusses three vulnerabilities in the AMD Client UEFI Firmware used in a variety of HP products.

HPE Advisory - HPE published an advisory that discusses a privilege escalation vulnerability in their SimpliVity 380 Gen9 Servers.

Moxa Advisory - Moxa published an advisory that discusses a hard-coded credential vulnerability (with known exploit) in their TN-4900 Series routers.

Omron Advisory #1 - JPCERT published an advisory that describes an active debug code vulnerability in the OMRON CP1L-EL20DR-D PLC.

Omron Advisory #2 - JPCERT published an advisory that describes an uninitiated pointer vulnerability in the OMRON CX-Motion-MCH application.

WAGO Advisory - CERT-VDE published an advisory that describes a missing authentication for critical function vulnerability in multiple products from WAGO.

Westermo Advisory - Westermo published an advisory that discusses an unnamed vulnerability in their Ibex software where SNMP v3 is enabled.

Western Digital Advisory #1 - Western Digital published an advisory that describes a Host Boot ROM code vulnerability. This is a vulnerability in the UFS Host implementation.

NOTE: So, this is not a Western Digital vulnerability, but one that they discovered in an industry standard service. This could get ugly.

Western Digital Advisory #2 - Western Digital published an advisory that describes four vulnerabilities in their My Cloud OS 5 devices.

Vendor Updates

BD Update - BD published an update to their Totalys™ MultiProcessor advisory that was originally published on October 4^th, 2022.

NOTE: NCCIC-ICS has not yet updated their advisory (ICSMA-22-277-01) for this information.

HPE Update - HPE published an update for their Nonstop advisory that was originally published on July 18^th, 2022.

 

For more details on these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-b04 - subscription required.