Review – Public ICS Disclosures – Week of 6-24-23

This week we have 39 vendor disclosures from Bosch (2), Carrier, Demes Group, GE Gas Power (2), Hitachi Energy (5), Philips, Tanzu (26), and WAGO. There is an update from CODESYS. Finally, we have a researcher report for vulnerabilities in products from Atlas Copco.

Advisories

Bosch Advisory #1 - Bosch published an advisory that describes an information disclosure vulnerability in their Bosch IP camera devices.

Bosch Advisory #2 - Bosch published an advisory that describes an incomplete documentation of program execution vulnerability in their BIS installations worldwide.

Carrier Advisory - Carrier published an advisory that discusses the MOVEit vulnerabilities.

Demes Group Advisory - Incibe-CERT published an advisory that describes an improper access control vulnerability in the Demes Airspace CCTV Camera Control Panel.

GE Gas Power Advisory #1 - GE published an advisory that discusses the MOVEit vulnerabilities.

GE Gas Power Advisory #2 - GE published an advisory that discusses recent Volt Typhoon attacks.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a timing-based side-channel vulnerability in their Relion series products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses a timing-based side-channel vulnerability in their PWC600 product.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that discusses a timing-based side-channel vulnerability in their GMS600 product.

Hitachi Energy Advisory #4 - Hitachi Energy published an advisory that discusses eight vulnerabilities in their Lumada Asset Performance Management (APM) product.

Hitachi Energy Advisor #5 - Hitachi Energy published an advisory that describes an OS command injection vulnerability in their TXpert Hub CoreTec 4 product.

Philips Advisory - Philips published an advisory that discuses an improper resource control vulnerability in Citrix ShareFile Storage Zones Controllers.

Tanzu Advisories - Tanzu published 26 advisories describing individual third-party vulnerabilities in their products.

WAGO Advisory - CERT-VDE published an advisory that describes two vulnerabilities in their controllers with CODESYS 2.3 Runtime.

Updates

CODESYS Updates - CODESYS published an update for their SysDrv3S advisory that was originally published on March 24^th, 2022 and most recently updated on April 6^th, 2022.

Reports

Atlas Copco Report - Otorio published a report describing three vulnerabilities in the Atlas Copco Power Focus 6000 Torque Controller.

 

For more information on these disclosures, including links to 3^rd party reports and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-040 - subscription required.