Review – Public ICS Disclosures – Week of 6-8-24 – Part 2

For Part 2 we have nine additional vendor disclosures from Schneider Electric (5), Siemens, VMware, Western Digital, and ZKTeco. We also have 28 vendor updates from HP (13), Schneider (2), and Siemens (13). In Part 3 we will look at researcher reports and exploits.

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes a files or directories accessible to external parties vulnerability in their Modicon M340 and BMXNOE0100 and BMXNOE0110 products.

Schneider Advisory #2 - Schneider published an advisory that describes a use of broken or risky cryptographic algorithm vulnerability.

Schneider Advisory #3 - Schneider published an advisory that describes an exposure of resource to wrong sphere vulnerability in their EVlink Home Smart product.

Schneider Advisory #4 - Schneider published an advisory that describes a TOCTOU race condition in their SpaceLogic AS-P and AS-B products.

Schneider Advisory #5 - Schneider published an advisory that describes six vulnerabilities in their SAGE RTU products.

Siemens Advisory - Siemens published an advisory that describes an incorrect type conversion or cast vulnerability in their Tecnomatix Plant Simulation product.

VMware Advisory - VMware published an advisory that describes three vulnerabilities in their SD-WAN Edge and SD-WAN Orchestrator products.

Western Digital Advisory - Western Digital published an advisory that describes a cross-site scripting vulnerability in multiple Western Digital products.

ZKTeco Advisory - ZKTeco published an advisory that announced that they had a firmware update that “addresses minor vulnerabilities identified in certain models of our standalone terminals”.

Updates

HP Update #1 - HP published an update for their Aruba 9200 and 9000 Series Controllers advisory that was originally published on September 6^th, 2023.

HP Update #2 - HP published an update for their Aruba ClearPass Policy Manager advisory that was originally published on October 24^th, 2023.

HP Update #3 - HP published an update for their Aruba AirWave Management Platform advisory that was originally published on October 17^th, 2023 and most recently updated on October 23^rd, 2023.

HP Update #4 - HP published an update for their ArubaOS-Switch Switches advisory that was originally published on August 29^th, 2023.

HP Update #5 - HP published an update for their Aruba EdgeConnect SD-WAN Orchestrator advisory that was originally published on August 22^nd, 2023 and most recently updated on October 3^rd, 2023.

HP Update #6 - HP published an update for their Aruba Networking Virtual Intranet Access advisory that was originally published on August 15^th, 2023.

HP Update #7 - HP published an update for their Aruba CX Switches advisory that was originally published on August 1^st, 2023.

HP Update #8 - HP published an update for their Aruba Access Points advisory that was originally published on July 25^th, 2023.

HP Update #9 - HP published an update for their ArubaOS advisory that was originally published on July 11^th, 2023.

HP Update #10 - HP published an update for their Aruba EdgeConnect Enterprise advisory that was originally published on May 24^th, 2023.

HP Update #11 - HP published an update for their Aruba Access Points advisory that was originally published on May 9^th, 2023.

HP Update #12 - HP published an update for their Aruba Bypassing Wi-Fi Encryption advisory that was originally published on April 4^th, 2023, and most recently updated on April 6^th, 2023.

HP Update #13 - HP published an update for their ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers advisory that was originally published on April 2^nd, 2024 and most recently updated on June 3^rd, 2024.

Schneider Update #1 - Schneider published an update for their CODESYS Runtime advisory that was originally published on July 11^th, 2023, and most recently updated on April 9^th, 2024.

Schneider Update #2 - Schneider published an update for their Easy UPS advisory that was originally published on April 11^th, 2023, and most recently updated on June 13^th, 2023.

Siemens Update #1 - Siemens published an update for their SICAM Products advisory that was originally published on May 14^th, 2024.

Siemens Update #2 - Siemens published an update for their RUGGEDCOM APE1808 advisory that was originally published on March 12^th, 2024, and most recently updated on May 14^th, 2024.

Siemens Update #3 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 13^th, 2024, and most recently updated on April 9^th, 2024.

Siemens Update #4 - Siemens published an update for their OPC UA Implementations advisory that was originally published on September 12^th, 2023, and most recently updated on May 14^th, 2024.

Siemens Update #5 - Siemens published an update for their Profinet Devices advisory that was originally published on July 13^th, 2021, and most recently updated on April 12^th, 2024.

Siemens Update #6 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 11^th, 2023, and most recently updated on May 9^th, 2023.

Siemens Update #7 - Siemens published an update for their n S7-1500 CPU Devices advisory that was originally published on January 10^th, 2023, and most recently updated on December 12^th, 2023.

Siemens Update #8 - Siemens published an update for their PROFINET Stack advisory that was originally published on April 12^th, 2022, and most recently updated on May 14^th, 2024.

Siemens Update #9 - Siemens published an update for their Parasolid and Teamcenter Visualization advisory that was originally published on August 8^th, 2023, and most recently updated on November 14^th, 2023.

Siemens Advisory # 10 - Siemens published an update for their GNU/Linux Subsystem advisory that was originally published on December 12^th, 2023, and most recently updated on May 14^th, 2024.

Siemens Advisory #11 - Siemens published an update for their SCALANCE XB-200 advisory that was originally published on March 12^th, 2024.

Siemens Advisory #12 - Siemens published an update for their SIMATIC RTLS advisory that was originally published on May 14^th, 2024.

Siemens Advisory #13 - Siemens published an update for their SICAM PAS/PQS advisory that was originally published on October 10^th, 2023.

 

For more information on these disclosures, including links to 3^rd party advisories and brief summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-f31 - subscription required.