This week we have 16 vendor disclosures from Bosch, Broadcom (3), ELECOM (4), Dassault Systèmes (2), Flexera, Hitachi, HPE, Omron (2), and SEL. There are also nine vendor updates from Hitachi Energy (2), HP (2), HPE (4), and Mitsubishi. We have 16 researcher reports for products from AutomationDirect (8), FortiGuard, libigl (6), and Nokia. Finally, we have an exploit for products from Siemens.
Advisories
Bosch Advisory - Bosch published an
advisory that describes an uncontrolled resource consumption vulnerability
in their CC13XX-26XX-SDK, BLE5-STACK and CC2340 SDK, BLE5-STACK products.
Broadcom Advisory #1 - Broadcom published an advisory that describes
a URL parsing vulnerability in their Spring Framework product.
Broadcom Advisory #2 - Broadcom published an
advisory that discusses ten vulnerabilities (three with known exploits) in
their Brocade ASCG product.
Broadcom Advisory #3 - Broadcom published an
advisory that describes a default community strings vulnerability in their Brocade
Directors, Brocade Fabric OS, and Brocade Switches.
ELECOM Advisory #1 - JP-CERT published an advisory that describes
an OS command injection vulnerability in the ELECOM WRC-X5400GS-B and WRC-X5400GSA-B
wireless LAN routers.
ELECOM Advisory #2 - JP-CERT published an advisory that describes
two vulnerabilities in multiple wireless LAN routers and wireless LAN repeaters
from ELECOM.
ELECOM Advisory #3 - JP-CERT published an advisory that describes
an OS command injection vulnerability in multiple ELECOM wireless LAN routers.
ELECOM Advisory #4 - JP-CERT published an advisory that describes
three vulnerabilities in multiple ELECOM wireless LAN routers.
Dassault Advisory #1 - Dassault published an
advisory that describes a deserialization of untrusted data vulnerability
in their DELMIA Apriso product.
Dassault Advisory #2 - Dassault published an
advisory that describes a deserialization of untrusted data vulnerability
in their DELMIA Apriso product.
Flexera Advisory - Flexera published an advisory that
discusses four vulnerabilities in their FlexNet Publisher.
HPE Advisory - HPE published an
advisory that discusses a hardware logic contains race condition
vulnerability in their ProLiant DL/ML and MicroServer products.
Omron Advisory #1 - Omron published an
advisory that describes an insufficient verification of data authenticity
vulnerability in their NJ/NX-series Machine Automation Controllers.
Omron Advisory #2 - Omron published an
advisory that discusses three vulnerabilities in their NJ/NX-series Machine
Automation Controllers.
SEL Advisory - SEL published a version update for their SEL Compass software.
Updates
Hitachi Energy Update #1 - Hitachi Energy published an
update for their AFF660/665 series advisory that was originally published
on January 30th, 2024.
Hitachi Energy Update #2 - Hitachi Energy published an
update for their IED ConnPacks advisory that was originally published on November
15th, 2022. The link provided currently goes to the original version
of the advisory.
HP Update #1 - HP published an
update for their LaserJet Pro advisory that was originally published on
February 20th, 2024 and most recently updated on April 29th,
2024.
HP Update #2 - HP published an
update for their Laser Jet Managed Printers advisory that was originally
published on February 20th, 2024. The provided link currently goes
to a blank page.
HPE Update #1 - HPE published an
update for their ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers that was
originally published on April 2nd, 2024 and most recently updated on
May 14th, 2024.
HPE Update #2 - HPE published an
update for their Aruba ArubaOS-CX Switches advisory that was originally
published on May 8th, 2024.
HPE Update #3 - HPE published an
update for their NonStop Web ViewPoint Enterprise advisory that was
originally published on April 1st, 2024.
HPE Update #4 - HPE published an
update for their Tomcat-based Servlet Engine advisory that was originally
published on March 9th, 2018.
Mitsubishi Update - Mitsubishi published an update for their MELSEC and MELIPC Series advisory that was originally published on June 14th, 2022 and most recently updated on July 27th, 2023.
Researcher Reports
AutomationDirect Reports - Talos Intelligence published
eight reports describing 13 vulnerabilities in the AutomationDirect P3-550E PLCs.
FortiGuard Report - Horizon3 published a
report that describes the identification of CVE-2024-23108 and CVE-2024-23109,
command injection vulnerabilities, in the FortiGuard FortiSIEM product.
Libigl Report - Talos Intelligence published six
reports describing vulnerabilities in the libigl library.
Nokia Report - IOActive published a report that describes two vulnerabilities in the Nokia FRRO501a Industrial Fieldrouter.
Exploits
Siemens Exploit - SEC Consult published an exploit for an exposed serial shells vulnerability in the Siemens CP-XXXX Series PLCs.
For more information on these disclosures, including links
to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis
- https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-cd7
- subscription required.
No comments:
Post a Comment