Review – Public ICS Disclosure – Week of 5-27-23

This week we have 31 vendor disclosures from BD, Bosch, B&R, Contec, Eaton, Fuji Electric, Hitachi Energy (2), HPE (3), Mitsubishi, Splunk (15), VMware, and Zyxel (3). There are also four vendor updates from HPE (2) and Moxa (2). We also have 40 researcher reports for vulnerabilities for products from Delta Electronics (22), Fatek Automation (11), Mitsubishi, and Unified Automation (6). Finally, we have an exploit for products from Seagate.

Advisories

BD Advisory - BD published an advisory that discusses a buffer underflow vulnerability in some of their Kiestra products.

Bosch Advisory - Bosch published an advisory that describes a chip damaging vulnerability in their CPP13 and CPP14 cameras.

B&R Advisory - B&R published an advisory that discusses an abuse of service location protocol vulnerability in their ARPOL product.

Contec Advisory - Contec published an advisory that describes seven vulnerabilities in their CONPROSYS HMI System.

Eaton Advisory - Eaton published an advisory that describes a group access authorization logic vulnerability in their SecureConnect portal.

Fuji Electric - JP CERT published an advisory that describes three vulnerabilities in the Fuji Electric FRENIC RHC Loader.

Hitachi Energy Advisory #1 - Hitachi published an advisory that describes an improper output neutralization for logs vulnerability in their UNEM product.

Hitachi Energy Advisory #2 - Hitachi published an advisory that that describes an improper output neutralization for logs vulnerability in their FOXMAN-UN product.

HPE Advisory #1 - HPE published an advisory that describes an arbitrary code execution vulnerability in their Smart Storage Administrator (SSA) Offline product.

HPE Advisory #2 - HPE published an advisory that discusses four vulnerabilities in their HP-UX BIND product.

HPE Advisory #3 - HPE published an advisory that describes a denial of service vulnerability in their HP-UX IPv6 Stack.

Mitsubishi Advisory - Mitsubishi published an advisory that describes four vulnerabilities in their MELSEC iQ-R Series/iQ-F Series EtherNet/IP modules and EtherNet/IP configuration tools.

Splunk Advisories 1-3 - Splunk published three advisories for product updates for third party vulnerabilities.

Splunk Advisories 4-15 - Splunk published 12 advisories for individual vulnerabilities in multiple products.

VMware Advisory - VMware published an advisory that describes an insecure redirect vulnerability in their Workspace ONE Access and Identity Manager products.

Zyxel Advisory #1 - Zyxel published an advisory that describes two classic buffer overflow vulnerabilities in their firewalls.

Zyxel Adviosry #2 - Zyxel published an advisory that describes an OS command injection vulnerability in some of their NAS versions.

Zyxel Advisory #3 - Zyxel published an advisory that discusses recent attacks on their ZyWALL devices.

Updates

HPE Update #1 - HPE published an update for their StoreEasy Servers advisory that was originally published on February 14^th, 2023 and most recently updated on March 23^rd, 2023.

HPE Update #2 - HPE published an update for their OneView advisory that was originally published on February 6^th, 2023.

Moxa Update #1 - Moxa published an update for their MXsecurity advisory that was originally published on March 8^th, 2023 and most recently updated on May 23^rd, 2023.

Moxa Update #2 - Moxa published an update for their Arm-based Computer advisory that was originally published on November 22^nd, 2022.

Researcher Reports

Delta Electronics Reports - ZDI published 22 reports about individual vulnerabilities in the Delta CNCSoft-B product.

Fatek Reports - ZDI published eleven reports about individual vulnerabilities in the Fatek FvDesigner.

Mitsubishi Report - Talos Intelligence published a report describing a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U MELSOFT.

Unified Automation Report #1 - Claroty published a report that describes an object validation vulnerability in the Unified Automation UaGateway.

Unified Automation Reports #2-6 - ZDI published five reports describing vulnerabilities in the Unified Automation UaGateway.

Exploits

Seagate Exploit - Ege Balci published an metsploit module for an OS command injection vulnerability in the Seagate Central External NAS Storage device.

For more details about these disclosures, including links to researcher reports and exploits, as well as a brief description of new information in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-5-27 - subscription required.