Review – Public ICS Disclosures – Week of 10-25-24 – Part 1

This week, for Part 1, we have 20 vendor disclosures from Broadcom (8), Beckhoff, Bosch, GE Vernova (2), Hikvision, Hitachi Energy (2), HP (3), HPE, and Omron.

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses a function call with incorrect argument type vulnerability in their SANnav product.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an integer overflow or wrap around vulnerability in their SANnav product.

Broadcom Advisory #3 - Broadcom published an advisory that discusses nine vulnerabilities (three with publicly available exploits) in their Fabric OS, SANnav, and ASCG products.

Broadcom Advisory #4 - Broadcom published an advisory that discusses an incorrect resource transfer between spheres vulnerability in their SANnav product.

Broadcom Advisory #5 - Broadcom published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their SANnav product.

Broadcom Advisory #6 - Broadcom published an advisory that discusses an incomplete cleanup vulnerability in their SANnav product.

Broadcom Advisory #7 - Broadcom published an advisory that discusses three inadequately described vulnerabilities in their SANnav product.

Broadcom Advisory #8 - Broadcom published an advisory that discusses six vulnerabilities in their SANnav products.

Beckhoff Advisory - CERT-VDE published an advisory that describes an OS command injection vulnerability in the Beckhoff TwinCAT Package Manager.

Bosch Advisory - Bosch published an advisory that describes an uncontrolled resource consumption vulnerability in the PROFINET stack implementation of the IndraDrive.

GE Vernova Advisory #1 - GE published an advisory that discusses two vulnerabilities in Control Server installations that use VMware vCenter Server.

GE Vernova Advisory #2 - GE published an advisory that describes a side-channel key recovery vulnerability in YubiKey’s in customers using Xona devices and those using YubiKey authentication for certain HMI deployments.

Hikvision Advisory - JP- CERT published an advisory that announces firmware updates for multiple network cameras as a security enhancement, changing the behavior to communicate with Dynamic DNS services, to prevent cleartext transmission.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that describes two vulnerabilities in their TRO600 series products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses two vulnerabilities (both with publicly available exploits) in their MSM product web services.

HP Advisory #1 - HP published an advisory that discusses the PixieFail vulnerabilities.

HP Advisory #2 - HP published an advisory that discusses 353 vulnerabilities in their ThinPro product.

HP Advisory #3 - HP published an advisory that describes an out-of-bounds write vulnerability in their Smart Universal Printing Driver.

HPE Advisory - HPE published an advisory that discusses the regreSSHion vulnerability.

Omron Advisory - Omron published an advisory that describes an improper authorization vulnerability in their Sysmac Studio product.

 

For more information about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-25a - subscription required.