Review – Public ICS Disclosures – Week of 1-14-23

This week we have twelve vendor disclosures from Campbell Scientific, Contec, HIMA, HP, Medtronic, and Wireshark (7). We also have two researcher disclosures for products from Mitsubishi and GE,

Vendor Disclosures

Campbell Advisory - INCIBE-CERT published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in the Campbell dataloggers.

Contec Advisory - Contec published an advisory that describes SQL injection vulnerabilities in their CONPROSYS HMI System.

HIMA Advisory - CERT-VDE published an advisory that describes an unquoted Windows search path vulnerability in multiple HIMA X-OPC and X-OTS products.

HP Advisory - HP published an advisory that discusses eight vulnerabilities in multiple HP products.

Medtronic Advisory - Medtronic published an end-of-life notice for their superDimension™ navigation system.

Wireshark Advisory #1 - Wireshark published an advisory that describes a packet injection vulnerability in their EAP dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a memory leak vulnerability in their NFS dissector.

Wireshark Advisory #3 - Wireshark published an advisory that describes a denial of service vulnerability in their Dissection engine.

Wireshark Advisory #4 - Wireshark published an advisory that describes a denial of service vulnerability in their GNW dissector.

Wireshark Advisory #5 - Wireshark published an advisory that describes a denial of service vulnerability in their iSCSI dissector.

Wireshark Advisory #6 - Wireshark published an advisory that describes an excessive loop vulnerability in multiple dissectors.

Wireshark Advisory #7 - Wireshark published an advisory that describes a denial of service vulnerability in their TIPC dissector.

Researcher Reports

Mitsubishi Report - CISCO Talos published a report that describes an authentication bypass vulnerability in the Mitsubishi MELSEC iQ-FX5U webserver.

GE Report - Claroty published a report that describes five vulnerabilities in the GE Proficy Historian. The report contains proof-of-concept code.

 

For more details about these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-6c3 - subscription required.