Review – Public ICS Disclosures – Week of 8-10-24 – Part 1

This week we have 29 vendor disclosures from FortiGuard (3), HP (5), HPE (11), Palo Alto Networks (4), Pepperl+Fuchs, Philips (3), Phoenix Contact, and Splunk.

Advisories

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an improper access control vulnerability in their FortiOS product.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes an unverified password change vulnerability in their FortiManager and FortiAnalyzer products.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes an insufficient session expiration vulnerability in their FortiOS, FortiProxy, FortiPAM & FortiSwitchManager GUI products.

HP Advisory #1 - HP published an advisory that discusses an insecure inherited permissions vulnerability in their PC’s.

HP Advisory #2 - HP published an advisory that discusses nine vulnerabilities in their PC’s.

HP Advisory #3 - HP published an advisory that describes nine vulnerabilities in their PC’s.

HP Advisory #4 - HP published an advisory that discusses an improper access control vulnerability in their PC’s.

HP Advisory #5 - HP published an advisory that discusses two Improper isolation of shared resources on System-on-a-Chip vulnerabilities in their PC’s.

HPE Advisory #1 - HPE published an advisory that discusses nine vulnerabilities in their SimpliVity AMD Servers.

HPE Advisory #2 - HPE published an advisory that discusses an incomplete filtering of special elements vulnerability in their StoreEasy Servers.

HPE Advisory #3 - HPE published an advisory that discusses an insufficient control flow management vulnerability in their StoreEasy Servers.

HPE Advisory #4 - HPE published an advisory that discusses an incomplete filtering of special elements vulnerability in their SimpliVity Servers.

HPE Advisory #5 - HPE published an advisory that discusses an protection mechanism failure vulnerability in their ProLiant DL/ML/XL, Alletra, Apollo, Synergy, and Edgeline Servers.

HPE Advisory #6 - HPE published an advisory that discusses an protection mechanism failure vulnerability in their StoreEasy Servers.

HPE Advisory #7 - HPE published an advisory that discusses an incorrect behavior order vulnerability in their StoreEasy Servers.

HPE Advisory #8 - HPE published an advisory that discusses nine vulnerabilities in their ProLiant AMD Servers.

HPE Advisory #9 - HPE published an advisory that discusses an incorrect behavior order vulnerability ProLiant DL/ML/XL, Synergy, MicroServer, and Edgeline Servers.

HPE Advisory #10 - HPE published an advisory that discusses an insufficient flow control management vulnerability in their ProLiant DL/ML, Alletra, Synergy, and Edgeline Servers.

HPE Advisory #11 - HPE published an advisory that discusses an incomplete filtering of special elements vulnerability in their ProLiant DL/ML, Alletra, Synergy, and Edgeline Servers.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that describes an incorrect permissions for critical resource vulnerability in their GlobalProtect app.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes an incorrect cleartext storage in a file or on a disk vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes a command injection vulnerability in their Cortex XSOAR product.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that discusses 31 vulnerabilities in their Prisma Access Browser.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that describes three cross-site scripting vulnerabilities in the Pepperl+Fuchs Device Master ICDM-RX/ product line.

Philips Advisory #1 - Philips published an advisory that discusses the Windows Power Dependency Coordinator component (CVE-2024-38107; listed on CISA’s Known Exploited Vulnerability Catalog) vulnerability.

Philips Advisory #2 - Philips published an advisory that discusses the Windows Kernel (CVE-2024-38106; Listed on CISA’s KEV Catalog) vulnerability.

Philips Advisory #3 - Philips published an advisory that discusses the Microsoft’s Remote Desktop Licensing Service (CVE-2024-38077) vulnerability.

Phoenix Contact - Phoenix Contact published an advisory that describes a files or directories accessible to external parties vulnerability in their CHARX control modular AC charging modules.

Splunk Advisory - Splunk published an advisory that discusses 28 vulnerabilities (14 with available exploits) in their Python for Scientific Computing product.

 

For more information on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - - subscription required.