Review – Public ICS Disclosures – Week of 9-7-24 – Part 2

For Part 2 we have five additional vendor disclosures from Schneider (2), Siemens, and Zyxel (2). We also have 26 vendor updates from Cisco, CODESYS, HP, Schneider (3), and Siemens (20). Finally, we have an exploit for products from BlackBerry.

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes an improper privilege management vulnerability in their Vijeo Designer products.

Schneider Advisory #2 - Schneider published an advisory that describes a cross-site scripting vulnerability in their EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) products.

Siemens Advisory - Siemens published an advisory that describes an uncontrolled resource consumption vulnerability in their SIMATIC S7-200 SMART devices.

Zyxel Advisory #1 - Zyxel published an advisory that describes an OS command injection vulnerability in their NAS products.

Zyxel Advisory #2 - Zyxel published an advisory that describes an insufficient entropy vulnerability in their GS1900 series switches.

Updates

Cisco Update - Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024, and most recently updated on September 5^th, 2024.

CODESYS Update - CODESYS published an update for their OSCAT Basic library advisory that was originally published on August 29^th, 2024.

HP Update - HP published an update for their Plantronics advisory that was originally published on December 20^th, 2023, most recently updated on June 26^th, 2024.

Moxa Update - Moxa published an update for their regreSSHion advisory that was originally published on August 2^nd, 2024, and most recently updated on August 23^rd, 2024.

Schneider Update #1 - Schneider published an update for their PowerLogic P5 advisory that was originally published on June 11^th, 2024.

Schneider Update #2 - Schneider published an update for their EcoStruxure Power Monitoring Expert advisory that was originally published on March 14^th, 2023, and most recently updated on July 11^th, 2023.

Schneider Update #3 - Schneider published an update for their  BadAlloc advisory that was originally published on November 9^th, 2021, and most recently updated on August 13^th, 2024.

Siemens Update #1 - Siemens published an update for their User Management Component advisory that was originally published on December 12^th, 2023, and most recently updated on August 13^th, 2024.

Siemens Update #2 - Siemens published an update for their Industrial Products advisory that was originally published on May 14^th, 2024, and most recently updated on July 9^th, 2024.

Siemens Update #3 - Siemens published an update for their LOGO! 8 BM Devices advisory that was originally published on October 11^th, 2022, and most recently updated on December 12^th, 2023.

Siemens Update #4 - Siemens published an update for their LOGO! V8.3 BM Devices advisory that was originally published on August 13^th, 2024.

Siemens Update #5 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on July 9^th, 2024.

Siemens Update #6 - Siemens published an update for their Electromagnetic Fault Injection advisory that was originally published on December 12^th, 2023.

Siemens Update #7 - Siemens published an update for their Fortigate NGFW advisory that was originally published on March 12^th, 2024, and most recently updated on July 9^th, 2024.

Siemens Update #8 - Siemens published an update for their SENTRON 7KM PAC3120 advisory that was originally published on March 12^th, 2024.

Siemens Update #9 - Siemens published an update for their LOGO! 8 BM advisory that was originally published on March 9^th, 2021, and most recently updated on December 12^th, 2023.

Siemens Update #10 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 13^th, 2024, and most recently updated on July 9^th, 2024.

Siemens Update #11 - Siemens published an update for their Fortigate NGFW advisory that was originally published on July 9^th, 2024, and most recently updated on August 13^th, 2024.

Siemens Update #12 - Siemens published an update for their OPC Foundation advisory that was originally published on March 11^th, 2024, and most recently updated on May 14^th, 2024.

Siemens Update #13 - Siemens published an update for their SCALANCE W700 802.11 AX advisory that was originally published on June 11^th, 2024.

Siemens Update #14 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 11^th, 2023, and most recently updated on June 11^th, 2024.

Siemens Update #15 - Siemens published an update for their Palo Alto Networks Virtual NGFW advisory that was originally published on April 9^th, 2024, and most recently updated on July 9^th, 2024.

Siemens Update #16 - Siemens published an update for their Industrial Real-Time devices advisory that was originally published on October 8^th, 2019, and most recently updated on May 9^th, 2023.

Siemens Update #17 - Siemens published an update for their PROFINET DCP Implementation advisory that was originally published on May 8^th, 2017, and most recently updated on July 9^th, 2024.

Siemens Update #18 - Siemens published an update for their SINUMERIK ONE advisory that was originally published on December 12^th, 2023.

Siemens Update #19 - Siemens published an update for their Mendix Runtime advisory that was originally published on August 10^th, 2024.

Siemens Update #20 - Siemens published an update for their OPC UA Server advisory that was originally published on July 9^th, 2024.

Exploit

BlackBerry Exploit - Brendan Coles published a Metasploit module for a lack of authentication for sensitive operations vulnerability in the BlackBerry QNX system.

For more information on these disclosures, including a brief summary of the changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-d3d - subscription required.