Review – Public ICS Disclosures – Week of 10-25-24 – Part 2

For Part 2 this week we have nine additional vendor disclosures from Moxa, Palo Alto Networks, Philips (3), QNAP (2), Western Digital, and Zyxel. There are six vendor updates from FortiGuard, Hitachi Energy (4), and Moxa. We also have 12 researcher reports for vulnerabilities in products from FortiGuard and ABB (11).

Advisories

Moxa Advisory - Moxa published an advisory that discusses two vulnerabilities (both with publicly available exploits) in their Ethernet Switches.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that discusses 42 open-source software vulnerabilities.

Philips Advisory #1 - Philips published an advisory that discusses a missing authentication for critical function vulnerability.

Philips Advisory #2 - Philips published an advisory that discusses an SQL injection vulnerability.

Philips Advisory #3 - Philips published an advisory that discusses an improper neutralization of expression/command delimiters vulnerability.

QNAP Advisory #1 - QNAP published an advisory that describes an uncharacterized vulnerability in their HBS 3 Hybrid Backup Sync.

QNAP Advisory #2 - QNAP published an advisory that describes an uncharacterized vulnerability in their SMB Service.

Western Digital Advisory - Western Digital published a security update notice for their My Cloud products.

Zyxel Advisory - Zyxel published an advisory that describes an insufficiently protected credentials vulnerability in their USG FLEX H series firewalls.

Updates

FortiGuard Update - FortiGuard published an update for their Missing authentication in fgfmsd advisory that was originally published on October 23^rd, 2024, and most recently updated on October 28^th.

Hitachi Energy Update #1 - Hitachi Energy published an update for their FOXMAN-UN advisory that was originally published on June 11^th, 2024.

Hitachi Energy Update #2 - Hitachi Energy published an update for their UNEM advisory that was originally published on June 11^th, 2024.

Hitachi Energy Update #3 - Hitachi Energy published an update for their MSM product advisory that was originally published on January 30^th, 2024.

Hitachi Energy Update #4 - Hitachi Energy published an update for their MicroSCADA advisory that was originally published on August 27^th, 2024, and most recently updated on August 30^th, 2024.

Moxa Update - Moxa published an update for their Cellular Routers, Secure Routers, and Network Security Appliances advisory that was originally published on October 14^th, 2024 and most recently updated on October 15^th, 2024.

Researcher Reports

FortiGuard Report - Bishop Fox published a report on the missing authentication for critical function vulnerability (CVE-2024-47575) for FortiGuard’s FortiManager product.

ABB Reports - Zero Science published eleven reports about individual vulnerabilities (with publicly available exploits) in the ABB Cylon Aspect building energy management product.

 

For more information on these vulnerabilities, including links to 3rd party advisories, researcher reports, and exploits, as well as brief summaries of the changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-a32 - subscription required.