Review – Public ICS Disclosures – Week of 2-10-24 – Part 1

This week we have vendor disclosures from B&R Automation, Buffalo, Hima, Hitachi, HP (7), HPE (5), Palo Alto Networks (6), Philips, and QNAP.

Part 2 will include looks at advisories and updates from Schneider, Siemens, and VMware, along with two control system exploits.

Advisories

B&R Advisory - B&R published an advisory that discusses the Terrapin-Attack vulnerability.

Buffalo Advisory - JP-CERT published an advisory that describes three vulnerabilities in multiple Buffalo network devices.

Hima Advisory - CERT-VDE published an advisory that describes two vulnerabilities in multiple Hima products.

Hitachi Advisory - Hitachi published an advisory that discusses 17 vulnerabilities in their Disk Array products.

HP Advisory #1 - HP published an advisory that discusses an improper access control vulnerability in their Thunderbolt docking stations.

HP Advisory #2 - HP published an advisory that describes a privilege escalation vulnerability in their Workstation products.

HP Advisory #3 - HP published an advisory that discusses four vulnerabilities in their Workstation products.

HP Advisory #4 - HP published an advisory that describes two physical bypass of security measures vulnerabilities in their Desktop PC and workstation products.

HP Advisory #5 - HP published an advisory that discusses an improper access control vulnerability in their desktop computers.

HP Advisory #6 - HP published an advisory that discusses ten vulnerabilities in multiple HP product lines.

HP Advisory #7 - HP published an advisory that discusses 20 vulnerabilities in multiple product lines.

HPE Advisory #1 - HPE published an advisory that discusses Terrapin-Attack vulnerability.

HPE Advisory #2 - HPE published an advisory that discusses two vulnerabilities in their ProLiant Servers.

HPE Advisory #3 - HPE published an advisory that discusses two improper access control vulnerabilities in HPE ProLiant AMD Servers.

HPE Advisory #4 - HPE published an advisory that discusses the PixieFail vulnerabilities.

HPE Advisory #5 - HPE published an advisory that discusses a sequence of processor instructions leads to unexpected behavior vulnerability in their SimpliVity Servers.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that describes a cross-site scripting vulnerability in their PAN-OS products.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes an insufficient session expiration vulnerability in their PAN-OS web interface.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes an improper verification of source of communication channel vulnerability in their PAN-OS products.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that describes a cross-site scripting vulnerability in their PAS-OS products.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes a cross-site scripting vulnerability in their PAN-OS products.

Palo Alto Networks Advisory #6 - Palo Alto Networks published an advisory that discusses 38 vulnerabilities.

Philips Advisory - Philips published an advisory that discusses four recently reported vulnerabilities in the Ivanti Connect Secure and Policy Secure.

QNAP Advisory - QNAP published an advisory that describes two vulnerabilities in their QTS, QuTS hero and QuTScloud.

 

For more information on these disclosures, including links to 3rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-a49 - subscription required.