Review – Public ICS Disclosures – Week of 9-16-23

This week we have 18 vendor disclosures from Broadcom (3), Eaton (2), GE Gas Power, Hitachi, Hitachi Energy (2), Honeywell, HPE (4), Mitsubishi, Moxa, and SEL (2). There are five vendor updates from Cisco (2) and Hitachi Energy (3). Finally, we have 29 researcher reports for vulnerabilities in products from Honeywell (7), Inductive Automation, and Voltronic Power (21).

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses a path traversal vulnerability in their Brocade Fabric OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses a path traversal vulnerability in their Brocade Fabric OS.

Broadcom Advisory #3 - Broadcom published an advisory that discusses a missing authentication vulnerability in their Brocade Fabric OS.

Eaton Advisory #1 - Eaton Advisories - Eaton published an advisory that describes an access control vulnerability in their User Management System.

Eaton Advisory #2 - Eaton published an advisory that discusses a deserialization of untrusted data vulnerability in multiple Eaton products that is listed in the CISA Known Exploited Vulnerability Catalog.

GE Gas Power Advisory - GE Published an advisory that discusses an authentication bypass vulnerability in the  Triangle Microworks SCADA Data Gateway.

Hitachi Advisory - Hitachi published an advisory that discusses two vulnerabilities in the JP1/VERITAS product.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that describes an improper input validation vulnerability in their RTU500 series products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes an improper certificate validation vulnerability in their RTU500 scripting interface.

Honeywell Support Notice - Honeywell published a support notice for their Vindicator line of access control systems. Honeywell notes that their systems using Windows 7 and Windows XP operating systems will receive only limited support.

HPE Advisory #1 - HPE published an advisory that discusses three vulnerabilities in their Unified OSS Console.

HPE Advisory #2 - HPE published an advisory that describes a cross-site scripting vulnerability in their Unified OSS Console.

HPE Advisory #3 - HPE published an advisory that discusses a code corruption vulnerability in their IceWall Gen11 certd module.

HPE Advisory #4 - HPE published an advisory that describes an authentication bypass vulnerability in their Integrated Lights-Out 5 and 6 products.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses three vulnerabilities in multiple FA products.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their ioLogik E1200 Series Web Server.

SEL Advisory - SEL published two software revisions notices that included fixes for cybersecurity vulnerabilities.

Updates

Cisco Update #1 - Cisco published an update for their HTTP/2 Rapid Reset Attack advisory that was originally published on October 16^th, 2023 and most recently updated on December 5^th, 2023.

Cisco Update #2 - Cisco published an update for their Apache Struts Vulnerability advisory that was originally published on December 12^th, 2023 and most recently updated on December 15^th, 2023.

Hitachi Energy Update #1 - Hitachi Energy published an update for their AFS65x, AFS67x, AFR67x and AFF66x series products advisory that was originally published on September 26^th, 2023.

Hitachi Energy Update #2 - Hitachi Energy published an update for their AFF66x products advisory that was originally published on July 25^th, 2023.

Hitachi Energy Update #3 - Hitachi Energy published an update for their Apache ActiveMQ advisory that was originally published on November 14^th, 2023.

Researcher Reports

Honeywell Reports - ZDI published 7 advisories for individual vulnerabilities in the Honeywell Saia PG5 Controls Suite.

Inductive Automation Report - ZDI published a report that describes a deserialization of untrusted data vulnerability in the Inductive Automation Ignition product.

Voltronic Reports - The Zero Day Initiative published 21 advisories for individual vulnerabilities in the Voltronic Power ViewPower Pro.

 

For more details about these disclosures, including links to researcher reports and 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-552 - subscription required.