Review – Public ICS Disclosure – Week of 10-28-23 – Part 2

For Part 2 we have six additional vendor disclosures from Philips, QNAP (3), VMware, and WolfSSL. There are 22 updates for previously made disclosures from Cisco (2), CODESYS (2), Hitachi Energy (13), HP (4), and Palo Alto Networks. We also have a researcher report for vulnerabilities for products from Phoenix Contact. Finally, we have an exploit for products from VMware.

Advisories

Philips Advisory - Philips published an advisory that discusses two vulnerabilities in their Vue PACS and Vue RIS/EI products.

QNAP Advisory #1 - QNAP published an advisory that describes an OS command injection vulnerability in their QTS, Multimedia Console, and Media Streaming add-on products.

QNAP Advisory #2 - QNAP published an advisory that describes an OS command injection vulnerability in their QTS, QuTS hero, and QuTScloud products.

QNAP Advisory #3 - QNAP published an advisory that describes a server side request forgery vulnerability in their QTS, QuTS hero, and QuTScloud products.

VMWare Advisory - VMWare published an advisory that describes an open redirect vulnerability in their VMware Workspace ONE UEM console.

WolfSSL Advisory - WolfSSL published an advisory that reports that the latest release of WolfSSL contains a fix for a Bleichenbacher style attack.

Updates

Cisco Update #1 - Cisco published an update for their IOS XE Software Web UI Feature advisory that was originally published on October 16^th, 2023 and most recently updated on October 31^st, 2023.

Cisco Update #2 - Cisco published an update for their HTTP/2 Rapid Reset Attack advisory that was originally published on October 16^th, 2023 and most recently updated on October 31^st, 2023.

CODESYS Update #1 - CODESYS published an update for their Development System V3 advisory that was originally published on July 20^th, 2023 and most recently updated on August 3^rd, 2023.

CODESYS Update #2 - CODESYS published an update for their Control V3 advisory that was originally published on July 20^th, 2023, and most recently updated on August 3^rd, 2023.

Hitachi Energy Update #1 - Hitachi Energy published an update for their Password in Memory Vulnerability advisory that was originally published on November 15, 2022.

Hitachi Energy Updates #2-12 - Hitachi Energy published updates for 12 advisories for the purpose of rebranding the advisories for “Hitachi/ABB Power Grids” to “Hitachi Energy”. No other changes were made.

HP Update #1 - HP published an update for their HP PC Hardware Diagnostics Windows advisory that was originally published on May 11^th, 2023.

HP Update #2 - HP published an update for their HP PC BIOS September 2023 Security Updates for OpenSSL advisory that was originally published on September 5^th, 2023.

HP Update #3 - HP published an update for their AMD Client UEFI Firmware August 2023 Security Update that was originally published on August 8^th, 2023 and most recently updated on October 16^th, 2023.

HP Update #4 - HP published an update for their AMD Client UEFI DXE Driver Memory Leaks advisory that was originally published on September 21^st, 2023.

Palo Alto Networks Update - Palo Alto Networks published an update for their Impact of curl and libcurl Vulnerabilities advisory that was originally published on October 12^th, 2023.

Researcher Reports

Phoenix Contact Report - Nozomi Networks published a report describing three vulnerabilities in the Phoenix Contact HMI product.

 

For more details about these disclosures including a brief summary of changes made in updates, links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-10-742 - subscription required.