Review – Public ICS Disclosures – Week of 12-30-23

This week we have 15 vendor disclosures from HPE (2), QNAP (8), and Wireshark (5). There are also six vendor updates from Dell, HP (4), and Moxa. Finally, we have five researcher reports for products from Inductive Automation.

Advisories

HPE Advisory #1 - HPE published an advisory that discusses five vulnerabilities in their ProLiant RL300 Gen11 Servers.

HPE Advisory #2 - HEP published an advisory that discusses four vulnerabilities in their Unified OSS Console Assurance Monitoring (UOCAM) product. One of the vulnerabilities is listed on CISA’s Known Exploited Vulnerability (KEV) catalog.

QNAP Advisory #1 - QNAP published an advisory that describes six classic buffer overflow vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #2 - QNAP published an advisory that describes a heap-based buffer overflow vulnerability in their Netatalk product.

QNAP Advisory #3 - QNAP published an advisory that describes two vulnerabilities in their Video Station product.

QNAP Advisory #4 - QNAP published an advisory that describes an SQL injection vulnerability in their QuMagie product.

QNAP Advisory #5 - QNAP published an advisory that describes two vulnerabilities in their QuMagie product.

QNAP Advisory #6 - QNAP published an advisory that describes an OS command injection vulnerability in their QTS and QuTS hero products.

QNAP Advisory #7 - QNAP published an advisory that describes a prototype pollution vulnerability in their QTS and QuTS hero products.

QNAP Advisory #8 - QNAP published an advisory that describes an OS command injection vulnerability in their QcalAgent.

Wireshark Advisory #1 - Wireshark published an advisory that describes an uncontrolled recursion vulnerability in their GVCP dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a NULL pointer dereference vulnerability in their IEEE 1609.2 dissector.

Wireshark Advisory #3 - Wireshark published an advisory that describes an out-of-bounds read vulnerability in their HTTP3 dissector.

Wireshark Advisory #4 - Wireshark published an advisory that describes an uncontrolled recursion vulnerability in their Zigbee TLV dissector.

Wireshark Advisory #5 - Wireshark published an advisory that describes an uncontrolled recursion vulnerability in their DOCSIS dissector.

Updates

Dell Update - Dell published an update for their Apache Log4j advisory that was originally published in December 2021 and most recently updated on December 14^th, 2022.

HP Update #1 - HP published an update for their Intel Virtual RAID advisory that was originally published on November 20^th, 2023.

HP Update #2 - HP published an update for their Intel Dynamic Tuning Technology Software that was originally published on November 6^th, 2023.

HP Update #3 - HP published an update for their AMD Client UEFI Firmware advisory that was originally published on December 7^th, 2023.

HP Update #4 - HP published an update for their HP PC BIOS advisory that was originally published on September 5^th, 2023 and most recently updated on November 2^nd, 2023.

Researcher Reports

Inductive Automation Reports - The Zero Day Initiative published five reports describing individual vulnerabilities in the Inductive Automation Ignition product.

 

For more details about these disclosures, including links to 3rd party advisories and researcher reports as well as brief summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-5ae - subscription required.