Review – Public ICS Disclosures – Week of 6-10-23 – Part 2

For Part 2 we have an additional 26 vendor disclosures from FortiGuard (22) and Schneider (4). And we have nine vendor updates from Schneider and Siemens (8).

Advisories

FortiGuard Advisory #1 - FortiGuard published an advisory that describes a NULL pointer dereference vulnerability in their FotiOS & FortiProxy products.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a command injection vulnerability in their FortiADC & FortiADC Manager products.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes a command injection vulnerability in their FortiADC product.

FortiGuard Advisory #4 - FortiGuard published an advisory that describes an incorrect default permissions vulnerability in their FortiClient (Windows) / FortiConverter (Windows) products.

FortiGuard Advisory #5 - FortiGuard published an advisory that describes a server-side request forgery vulnerability in their FortiManager & FortiAnalyzer products.

FortiGuard Advisory #6 - FortiGuard published an advisory that describes an access control vulnerability in their FortiNAC products.

FortiGuard Advisory #7 - FortiGuard published an advisory that describes an improper permissions, privileges, and access controls vulnerability in their FortiNAC products.

FortiGuard Advisory #8 - FortiGuard published an advisory that describes an access of uninitialized pointer vulnerability in their FortiOS & FortiProxy products.

FortiGuard Advisory #9 - FortiGuard published an advisory that describes a use of externally-controlled format string vulnerability in their FortiOS & FortiProxy products.

FortiGuard Advisory #10 - FortiGuard published an advisory that describes a heap-based buffer overflow vulnerability in their FortiOS & FortiProxy products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog.

FortiGuard Advisory #11 - FortiGuard published an advisory that describes an improper certificate validation vulnerability in their FortiOS & FortiProxy products.

FortiGuard Advisory #12 - FortiGuard published an advisory that describes an out-of-bounds write vulnerability in their FortiOS & FortiProxy products.

FortiGuard Advisory #13 - FortiGuard published an advisory that describes an insertion of sensitive information into log file vulnerability in their FortiOS & FortiProxy products.

FortiGuard Advisory #14 - FortiGuard published an advisory that describes a format string bug vulnerability in their FortiOS products.

FortiGuard Advisory #15 - FortiGuard published an advisory that describes a NULL pointer dereference vulnerability in their FortiOS products.

FortiGuard Advisory #16 - FortiGuard published an advisory that describes a NULL pointer dereference vulnerability in their FortiOS products.

FortiGuard Advisory #17 - FortiGuard published an advisory that describes a relative path traversal vulnerability in their FortiOS, FortiProxy & FortiSwitchManager products.

FortiGuard Advisory #18 - FortiGuard published an advisory that describes an infinite loop vulnerability in their FortiOS, FortiProxy & Fortiweb products.

FortiGuard Advisory #19 - FortiGuard published an advisory that describes a cleartext transmission of sensitive information vulnerability in their FortiOS/FortiProxy products.

FortiGuard Advisory #20 - FortiGuard published an advisory that describes an improper restriction of excessive authentication attempts vulnerability in their FortiSIEM products.

FortiGuard Advisory #21 - FortiGuard published an advisory that describes a plaintext storage of a password vulnerability in their FortiSIEM products.

FortiGuard Advisory #22 - FortiGuard published an advisory that describes a use of a broken or risky cryptographic algorithm vulnerability in their FortiSIEM products

Schneider Advisory #1 - Schneider published an advisory that describes a code injection vulnerability in their s EcoStruxure™ Operator Terminal Expert and Pro-face BLUE products.

Schneider Advisory #2 - Schneider published an advisory that describes a deserialization of untrusted data vulnerability in their IGSS Dashboard product.

Schneider Advisory #3 - Schneider published an advisory that discusses a clear-text storage of credentials vulnerability in their Foxboro SCADA product.

Schneider Advisory #4 - Schneider published an advisory that describes two vulnerabilities in their EcoStruxure Foxboro DCS Control Core Services product.

Updates

Schneider Update - Schneider published an update for their Easy UPS Online Monitoring Software advisory that was originally published on April 11^th, 2023 and most recently updated on April 19^th, 2023.

Siemens Update #1 - Siemens published an update for their Xpedition Designer advisory that was originally published on June 14^th, 2022.

Siemens Update #2 - Siemens published an update for their Mendix SAML module advisory that was originally published on March 14^th, 2023.

Siemens Update #3 - Siemens published an update for their Desigo PXC/PXM devices advisory that was originally published on January 24^th, 2018 and most recently updated on March 12^th, 2019.

Siemens Update #4 - Siemens published an update for their OpenSSL advisory that was originally published on June 14^th, 2022 and most recently updated on May 9^th, 2023.

Siemens Update #5 - Siemens published an update for their OPC Foundation advisory that was originally published on April 11^th, 2023.

Siemens Update #6 - Siemens published an update for their web server of SICAM P850 and SICAM P855 devices advisory that was originally published on October 11^th, 2022, and most recently updated on December 13^th, 2022.

Siemens Update #7 - Siemens published an update for their GNU/Linux subsystem of the SIMATIC S7-1500 CPU advisory that was originally published on November 27^th, 2018 and most recently updated on March 14^th, 2023.

Siemens Update #8 - Siemens published an update for their Teamcenter Visualization and JT2Go advisory that was originally published on November 8^th, 2022 and most recently updated on December 13^th, 2022.

 

For more details on these disclosures, including links to 3^rd party advisories and brief description of the changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-893 - subscription required.