Review – Public ICS Disclosures – Week of 7-1-23

This week we have eleven vendor disclosures from Aruba Networks, Bosch (2), Enphase, Frauscher Sensortechnik, Hikvision, Moxa, Softing (2), VMware and Zyxel. And we have 29 researcher reports for products from Panasonic (3), Milesight (25), and Siemens.

Advisories

Aruba Advisory - Aruba published an advisory that describes nine vulnerabilities in the Aruba OS products.

Bosch Advisory #1 - Bosch published an advisory that discusses two vulnerabilities in their FL MGUARD family devices.

Bosch Advisory #2 - Bosch published an advisory that discusses a missing authentication for critical function vulnerability in their SLC-0-GPNT00300 interface module.

Enphase Advisory - Enphase published an advisory that describes an OS command injection vulnerability in their Enphase IQ Gateway (Envoy).

Frauscher Advisory - CERT-VDE published an advisory that describes a path traversal vulnerability in the Frauscher Diagnostic System FDS001 for FAdC R1 and FAdCi R1.

Hikvision Advisory - Hikvision published an advisory that describes two vulnerabilities in their access control/intercom products.

Moxa Advisory - Moxa published an advisory that describes an observable response discrepancy vulnerability in their TN-5900 Series product.

Softing Advisory #1 - Softing published an advisory that describes two vulnerabilities in their OPC UA C++ SDK and Secure Integration Server.

Softing Advisory #2 - Softing published an advisory that describes an uncontrolled resource consumption vulnerability in a number of their products.

VMware Advisory - VMware published an advisory that describes an authentication bypass vulnerability in their SD-WAN (Edge) product.

Zyxel Advisory - Zyxel published an advisory that describes a classic buffer overflow vulnerability in their 4G LTE and 5G NR outdoor routers.

Researcher Reports

Panasonic Reports - AWESEC published three reports describing individual vulnerabilities in the Panasonic Panasonic AiSEG2.

Milesight Reports - Talos Intelligence published 25 reports (some with multiple vulnerabilities) for the Milesight UR32L urvpn_client and MilesightVPN server.

Siemens Report - SEC Consult published a report describing the four vulnerabilities in the Siemens A8000 product.

 

For more details about these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-bcb - subscription required.