This week we have 25 vendor disclosures from ABB (2), Aruba Networks, BaiCells, Bosch, B&R (2), Hitachi Energy, HPE (7), JTEKT Electronics, Milestone, Reillo, StrongSwan, Tanzu (2), VMware, WAGO, Western Digital, and Wireshark. We also have three vendor updates from HPE (2) and Mitsubishi. Finally we have ten researcher reports for products from Osprey (9) and DJI drones.
Vendor Advisories
ABB Advisory #1 - ABB published an
advisory that discusses an improper resource shutdown or release
vulnerability in ABB AC 800PEC and AC 800PEC-based products.
ABB Advisory #2 - ABB published an advisory that
describes an improper authentication vulnerability in their S+ Operations
products.
Aruba Advisory - Aruba published an
advisory that describes 33 vulnerabilities in their ArubaOS product.
BaiCells Advisory - BaiCells published an
advisory that describes a command injection vulnerability in their EG7035-M11
CPE Series products.
Bosch Advisory - Bosch published an
advisory that discusses an allocation of resources without limit or
throttling vulnerability in their FL MGUARD and TC MGUARD routers.
B&R Advisory #1 - B&R published an
advisory that describes five vulnerabilities in their APROL database.
B&R Advisory #2 - B&R published an
advisory that discusses five vulnerabilities in their Mobile Panel and Power
Panel products.
Hitachi Energy Advisory - Hitachi published an
advisory that describes an update signature validation vulnerability in
their Relion® 670, 650 and SAM600-IO Series Products.
HPE Advisory #1 - HPE published an
advisory that discusses four improper access control vulnerabilities in
their Moonshot/Edgeline Servers.
HPE Advisory #2 - HPE published an
advisory that discusses an information disclosure vulnerability in their Edgeline
Servers.
HPE Advisory #3 - HPE published an
advisory that discusses a privilege escalation vulnerability in their Apollo,
XL Servers.
HPE Advisory #4 - HPE published an
advisory that discusses a privilege escalation vulnerability in their Edgeline
Servers.
HPE Advisory #5 - HPE published an
advisory that discusses a privilege escalation vulnerability in their
Edgeline Servers.
HPE Advisory #6 - HPE published an
advisory that discusses an information disclosure vulnerability in their Edgeline
Servers.
HPE Advisory #7 - HPE published an
advisory that discusses a privilege escalation vulnerability in their Edgeline
Servers.
HPE Advisory #8 - HPE published an
advisory that discusses two vulnerabilities in their ProLiant
DL/ML/Microserver Servers.
JTEKT Advisory - JP Cert published an advisory that describes
three vulnerabilities in the JTEKT Kostac PLC Programming Software.
Milestone Advisory - Milestone published an
advisory that announces that their online services no longer support TLS
v1.0 and TLS v1.1 protocols.
Riello Advisory - Incibe CERT published an
advisory that describes three vulnerabilities in the Riello UPS NetMan 204.
StrongSwan Advisory - StrongSwan published an
advisory that describes a certificate verification vulnerability in StrongSwan.
Tanzu Advisory #1 - Tanzu published an advisory that discusses
three vulnerabilities in multiple Tanzu products.
Tanzu Advisory #2 - Tanzu published an advisory that
discusses two vulnerabilities in multiple Tanzu products.
VMware Advisory - VMware published an
advisory that describes a passcode bypass vulnerability in their Workspace
ONE Content product.
WAGO Advisory - CERT VDE published an advisory that describes
four vulnerabilities in multiple WAGO products.
Western Digital Advisory - Western Digital published an
advisory that the latest version of their SanDisk PrivateAccess no longer
supports “insecure TLS 1.0 and TLS 1.1 protocols”.
Wireshark Advisory - Wireshark published an advisory that describes a packet injection vulnerability in their ISO 15765 and ISO 10681 dissectors.
Vendor Updates
HPE Update #1 - HPE published an
update for their Intel 500 Series Ethernet Controllers advisory that was originally
published on February 14th, 2023.
HPE Update #2 - HPE published an
update for their ProLiant DL/ML/Microserver Servers that was originally
published on February 14th, 2023.
Mitsubishi Update - Mitsubishi published an
update for their WEB Server Function on MELSEC Series that was originally
published on January 17th, 2023 and most
recently updated on January 26th, 2023.
NOTE: NCCIC-ICS has not updated their advisory (ICSA-23-017-02) for this new information.
Researcher Reports
Osprey Report #1 - Zero Science published a report
that describes a security bypass vulnerability in the Osprey Pump Controller.
Osprey Report #2 - Zero Science published a report
that describes an information disclosure vulnerability in the Osprey Pump
Controller.
Osprey Report #3 - Zero Science published a report
that describes an administrator backdoor vulnerability in the Osprey Pump Controller.
Osprey Report #4 - Zero Science published a report
that describes a command injection vulnerability in the Osprey Pump Controller.
Osprey Report #5 - Zero Science published a report
that describes a command injection vulnerability in the Osprey Pump Controller.
Osprey Report #6 - Zero Science published a report
that describes a reflected cross-site scripting vulnerability in the Osprey
Pump Controller.
Osprey Report #7 - Zero Science published a report
that describes an authentication bypass vulnerability in the Osprey Pump
Controller.
Osprey Report #8 - Zero Science published a report
that describes a cross-site scripting vulnerability in the Osprey Pump
Controller.
Osprey Report #9 - Zero Science published a report
that describes a remote code execution vulnerability in the Osprey Pump
Controller.
DJI Drones Report - Nico Schiller, et. al. from the Ruhr
University Bochum published a
report that describes multiple security vulnerabilities in the control
system for DJI consumer drones.
For more details about these disclosures, including links to
3rd party advisories, researcher reports, and exploits, see my article at CFSN
Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-3-3
- subscription require.
Posts
No comments:
Post a Comment