Review – Public ICS Disclosures – Week of 2-4-23

This week we have eleven vendor disclosures from ABB, Baicells, Dahua, Palo Alto Networks (5), Ruckus, and Zyxel Networks (2). We also have three vendor updates from CONTEC, HPE, and Moxa. Finally, we have thirteen researcher reports on products from Siemens, and Open Design Alliance (12).

NOTE: There have been problems with the NIST NVD CVE listings this morning. They have been slow to load or have not been found. Hopefully this will be corrected in the near future.

Vendor Disclosures

Baicells Advisory - Baicells published an advisory that describes a cross-site scripting vulnerability in their Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices.

Dahua Advisory - Dahua published an advisory that describes an unauthorized modification of device timestamp vulnerability in some of their embedded products.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that discusses an improper privilege management vulnerability in SUDO.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that discusses the OpenSSL vulnerabilities disclosed Feb 7, 2023.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes a protection mechanism failure vulnerability in their Cortex XDR agent.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that describes an information disclosure vulnerability in their Cortex XDR agent.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes a file disclosure vulnerability in their Cortex XSOAR server.

Ruckus Advisory - Ruckus published an advisory that describes a cross-site request forgery vulnerability in multiple products using their AP Web application.

NOTE: Multiple end-of-life products are listed as being affected by this vulnerability.

Zyxel Advisory #1 - Zyxel published an advisory that describes a command injection vulnerability in their firewalls.

Zyxel Advisory #2 - Zyxel published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their Aps.

Vendor Updates

CONTEC Update - JP CERT published an update for their Solar View Compact advisory that was originally published on May 26^th, 2022 and most recently updated on December 13^th, 2022.

HPE Update - HPE published an update for their OneView advisory that was originally published on January 31^st, 2023.

Moxa Update - Moxa published an update for their UC Series advisory that was originally published on November 29^th, 2023.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-333-04) for this new information.

Researcher Reports

Siemens Report - Otorio published a report describing two vulnerabilities in the Siemens Automation License Manager.

ODA Report #1 - The Zero Day Initiative published a report that describes a memory corruption vulnerability in the ODA Drawing SDK.

ODA Report #2 - ZDI published a report that describes a memory corruption vulnerability in the ODA Drawing SDK.

ODA Report #3 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report # 4 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #5 - ZDI published a report that describes a heap-based buffer overflow vulnerability in the ODA Drawing SDK.

ODA Report #6 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #7 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #8 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report # 9 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #10 - ZDI published a report that describes an out-of-bounds write vulnerability in the ODA Drawing SDK.

ODA Report #11 - ZDI published a report that describes a heap-based buffer overflow vulnerability in the ODA Drawing SDK.

ODA Report #12 - ZDI published a report that describes a use-after-free vulnerability in the ODA Drawing SDK.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-6e9 - subscription required.