This week we have 19 vendor disclosures from ABB, Broadcom
(6), Flexera, Helmholz, HPE (3), MB Connect, OPC Foundation, SICK, TandD,
Western Digital, WAGO, and Zyxel. There are also two updates from BD and HPE.
Finally, we have two exploits for products from Ivanti and Siemens.
Advisories
ABB Advisory - ABB published an
advisory that describes two vulnerabilities in their Terra AC wallbox.
Broadcom Advisory #1 - Broadcom published an
advisory that discusses an out-of-bounds read vulnerability in their Brocade
Directors, Brocade Fabric OS, and Brocade Switches.
Broadcom Advisory #2 - Broadcom published an
advisory that discusses an SQL injection vulnerability in their Brocade
Fabric OS, Brocade SANnav, and Brocade Support Link.
Broadcom Advisory #3 - Broadcom published an advisory that discusses an incorrect permission
assignment for critical resource vulnerability in their Brocade SANnav.
Broadcom Advisory #4 - Broadcom published an
advisory that discusses an SQL injection vulnerability in their Brocade
Fabric OS, Brocade SANnav, and Brocade Support Link.
Broadcom Advisory #5 - Broadcom published an
advisory that discusses an SQL injection vulnerability in their Brocade
Fabric OS, Brocade SANnav, and Brocade Support Link.
Broadcom Advisory #6 - Broadcom published an advisory
that discusses an abuse of service location protocol vulnerability in their Brocade
Fabric OS, Brocade SANnav, Brocade Support Link.
Flexera Advisory - Flexera published an
advisory that discusses four vulnerabilities in their FlexNet Publisher.
Helmholz Advisory - CERT-VDE published an advisory that discusses
two unnamed vulnerabilities in their myREX24 and myREX24.virtual products.
HPE Advisory #1 - HPE published an
advisory that discusses four vulnerabilities in their HP-UX products.
HPE Advisory #2 - HPE published an
advisory that discusses two vulnerabilities in their Edgeline servers.
HPE Advisory #3 - HPE published an
advisory that discusses 11 vulnerabilities in their Cray EX235a Accelerator
Blade.
MB Connect Advisory – MB Connect published an advisory
that describes an incorrectly implemented object cache vulnerability in their mbCONNECT24
and mymbCONNECT24 products.
OPC Foundation - The OPC Foundation published an
advisory that describes an uncontrolled resource consumption vulnerability
in their OPC UA Legacy Java Stack.
SICK Advisory - The SICK product
security page lists a new advisory for “Vulnerabilities in SICK FTMg”.
TandD Advisory - TandD published an advisory that describes
four vulnerabilities in four end-of-life TandD products.
Western Digital Advisory - Western Digital published an
advisory that describes four vulnerabilities in their My Cloud OS 5
Firmware.
WAGO Advisory - CERT-VDE published an advisory that describes
an OS command injection vulnerability in multiple products from WAGO.
Zyxel Advisory #1 - Zyxel published an
advisory that describes four vulnerabilities in their NBG-418N v2 router.
Zyxel Advisory #2 - Zyxel published an
advisory that describes a command injection vulnerability in their NBG6604
router.
Updates
BD Update - BD published an
update for their BD Totalys™ MultiProcessor that was originally published
on October 4th, 2022.
HPE Update - HPE published an
update for their PE Servers using certain Intel Chipset Firmware advisory
that was originally published on February 8th, 2022 an most recently
updated on March 3rd, 2022.
Exploits
Ivanti Exploit - Shelby Pace, Piotr Bazydlo published
a Metasploit
module for an unrestricted upload of file with dangerous type vulnerability
in the Ivanti Avalanche.
Siemens Exploit - RoseSecurity published an
exploit for a cross-site request forgery vulnerability in the SIMATIC
S7-1200 CPU.
For more details on these disclosures, including links to 3rd
party advisories, researcher reports, and exploits, see my article at CFSN
Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-978
- subscription required.