Review – Public ICS Disclosures – Week of 4-13-24

This week we have nine vendor disclosures from Hitachi, HPE (4), Peplink, Philips, and Rockwell (2). There are also five vendor updates from B&R (2), Contec, HPE, and Palo Alto Networks. We also have eleven researcher reports about vulnerabilities in products from Elber (10) and Silicon Labs. Finally, we have two exploits for products from Palo Alto Networks.

NOTE: HP reports that they have an update for their NVIDIA GPU Display Driver advisory that was originally published on March 12^th, 2024, but the link currently goes to a blank page.

Advisories

Hitachi Advisory - Hitachi published an advisory that discusses an allocation of resources without limit or throttling vulnerability in their JP1 product.

HPE Advisory #1 - HPE published an advisory that discusses an out-of-bounds write vulnerability in their Superdome Flex, Superdome Flex 280 and Compute Scale-up Server 3200 Servers.

HPE Advisory #2 - HPE published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in their Compute Scale-up Server 3200 server.

HPE Advisory #3 - HPE published an advisory that discusses five vulnerabilities (three with exploits available) in their Telco IP Mediation E-Media product.

HPE Advisory #4 - HPE published an advisory that describes an insertion of sensitive information into a logfile vulnerability in their Compute Scale-up Server 3200 Server.

Peplink Advisory - Peplink published an advisory that describes five vulnerabilities in their Smart Reader access control product.

Philips Advisory - Philips published an advisory that discusses a CISA report of a compromise of Sisense Customer Data.

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper input validation vulnerability in their 5015-AENFTXT product.

Rockwell Advisory #2 - Rockwell published an advisory that discusses a deserialization of untrusted data vulnerability {listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog} in their FactoryTalk Production Centre product.

Updates

B&R Update #1 - B&R published an update for their Docker Engine advisory that was originally published on April 10^th, 2024.

B&R Update #2 - B&R published an update for their LOGO Fail advisory that was originally published on April 11^th, 2024.

Contec Update - JP-CERT published an update for their SolarView Compact advisory that was originally published on June 9^th, 2022 and most recently updated on February 10^th, 2023.

HPE Update - HPE published an update for their Superdome Flex advisory that was originally published on January 23^rd, 2024 and most recently updated on March 8^th, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN OS command injection advisory that was originally published on March 12^th, 2024.

Researcher Reports

Elber Report #1 - Zero Science published two reports of vulnerabilities in the Elber Signum DVB-S/S2 controller for satellite equipment.

Elber Report #2 - Zero Science published two reports of vulnerabilities in the Elber Cleber/3 Broadcast Multi-Purpose Platform.

Elber Report #3 - Zero Science published two reports of vulnerabilities in the Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link.

Elber Report #4 - Zero Science published two reports of vulnerabilities in the Elber DVB-S/S2 Satellite Receiver. Microwave Link.

Elber Report #5 - Zero Science published two reports of vulnerabilities in the Elber Wayber Analog/Digital Audio STL.

Silicon Labs Report - Talos published a report about a NULL pointer dereference vulnerability in the Silicon Labs Gecko Platform software design kit.

Exploits

Palo Alto Networks Exploit #1 - H4x0r-dz published an exploit for a command injection vulnerability in the Palo Alto Networks PAN-OS.

Palo Alto Networks Exploit #2 - W01fh4cker published an exploit for a command injection vulnerability in the Palo Alto Networks PAN-OS.

 

For more details about these disclosures, including links to researcher report, 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-ac1 - subscription required.