Review – Public ICS Disclosures – Week of 8-2-25

We have a relatively light disclosure week. This week we have nine vendor disclosures from CODESYS (3), Dell, Draeger, Eaton, Hitachi, HPE, and Splunk. There are also seven vendor updates from HP (3), HPE, Mitsubishi, and Moxa (2). Finally, we have an exploit for products from Tigo.

Advisories

CODESYS Advisory #1 - CODESYS published an advisory that describes an incorrect default permissions vulnerability in their Control runtime systems.

CODESYS Advisory #2 - CODESYS published an advisory that describes a NULL pointer dereference vulnerability in their Control runtime system's CmpDevice component.

CODESYS Advisory #3 - CODESYS published an advisory that describes an incorrect permission assignment for critical resource vulnerability in their Control runtime system CmpOpenSSL component.

Dell Advisory - Dell published an advisory that discusses three vulnerabilities (one with publicly available exploit) in their ThinOS products.

Draeger Advisory - Draeger published an advisory that describes a missing authorization vulnerability in their  ICMHelper product.

Eaton Advisory - Eaton published an advisory that describes two vulnerabilities in their Rack PDU G4 product.

Hitachi Advisory - Hitachi published an advisory that discusses three vulnerabilities in their Cosminexus Developer's Kit.

HPE Advisory - HPE published an advisory that describes ten vulnerabilities in their Private Cloud AI.

Splunk Advisory #1 - Splunk published an advisory that discusses five vulnerabilities (two with publicly available exploits) in their AppDynamics Cluster Agent.

Splunk Advisory #2 - Splunk published an advisory that discusses 148 vulnerabilities in their On-premise Enterprise Console.

Updates

HP Update #1 - HP published an update for their Intel PROSet/Wireless WiFi advisory that was originally published on May 13^th, 2025.

HP Update #2 - HP published an update for their AMD Graphics Driver advisory that was originally published on February 11^th, 2025.

HP Update #3 - HP published an update for their Elan Fingerprint Sensor advisory that was originally published on April 10^th, 2025.

HPE Update - HPE published an update for their SANnav Management Portal advisory that was originally published on July 8^th, 2025.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on May 15^th, 2025.

Moxa Update #1 - Moxa published an update for their OnCell 3120-LTE-1 advisory that was originally published on September 4^th, 2024.

Moxa Update #2 - Moxa published an update for their MGate MB3XXX advisory that was originally published on February 17^th, 2022.

Exploits

Tigo Exploit - Byte Reaper published an exploit for a command injection vulnerability in the Tigo Cloud Connect Advanced products.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-d28 - subscription required.

Review – Public ICS Disclosures – Week of 7-20-24

This week we have two CrowdStrike outage advisories. We also have 18 other vendor advisories for products from Broadcom, Draeger, Hitachi, HPE (4), Meinberg, National Instruments (7), WithSecure (2), and Zyxel. We have three vendor updates from Cisco (2) and HP. There is also a researcher report for vulnerabilities in products from Perkin Elmer. Finally, we have an exploit for products from Softing.

CrowdStrike Outage

GE Vernova published an advisory that discussed the impact on some of their Monitoring & Diagnostics products.

Philips published an advisory that provides a list of potentially affected products.

Advisories

Broadcom Advisory - Broadcom published an advisory that discusses ten vulnerabilities in the Azul Zulu component of their Brocade SANnav product.

Draeger Advisory - Draeger published an advisory that discusses a deserialization of untrusted data vulnerability (listed in the CISA Known Exploited Vulnerability Catalog).

Hitachi Advisory - Hitachi published an advisory that discusses 27 vulnerabilities in their Disk Array Systems.

HPE Advisory #1 - HPE published an advisory that describes three vulnerabilities in their Aruba EdgeConnect SD-WAN Orchestrator.

HPE Advisory #2 - HPE published an advisory that discusses 21 vulnerabilities (6 with known exploits) in their Unified OSS Console Assurance Monitoring (UOCAM) product.

HPE Advisory #3 - HPE published an advisory that discusses seven vulnerabilities (one with known exploit) in their Aruba EdgeConnect SD-WAN Gateways.

HPE Advisory #4 - HPE published an advisory that discusses an out-of-bounds write vulnerability in their ProLiant DL/ML/SY/XL and Alletra Servers.

Meinberg Advisory - Meinberg published an advisory that discusses ten vulnerabilities (2 with known exploits) in their Lantime product.

National Instruments Advisory #1 - National Instruments published an advisory that describes two missing authorization vulnerabilities in their VeriStand Gateway product.

National Instruments Advisory #2 - National Instruments published an advisory that describes two deserialization of untrusted data vulnerabilities in their VeriStand product.

National Instruments Advisory #3 - National Instruments published an advisory that describes a path traversal vulnerability in their VeriStand product.

National Instruments Advisory #4 - National Instruments published an advisory that describes a deserialization of untrusted data vulnerability in their VeriStand Project File product.

National Instruments Advisory #5 - National Instruments published an advisory that describes an integer overflow or wraparound vulnerability in their TDMS Files in LabVIEW.

National Instruments Advisory #6 - National Instruments published an advisory that describes an incorrect default permissions vulnerability in their SystemLink Redis Service.

National Instruments Advisory #7 - National Instruments published an advisory that describes an out-of-date component with multiple vulnerabilities vulnerability in their SystemLink Server.

WithSecure Advisory #1 - WithSecure published an advisory that describes a denial of service vulnerability in their WithSecure Mac antivirus software.

WithSecure Advisory #2 - WithSecure published an advisory that describes a privilege escalation vulnerability in their WithSecure Mac Products.

Zyxel Advisory - Zyxel published an advisory that describes an improper privilege management vulnerability in their Zyxel AP products.

Updates

Cisco Update #1 - Cisco published an update for their Blast-Radius advisory that was originally published on July 10^th, and most recently updated on July 19^th, 2024.

Cisco Update #2 - Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024, and most recently updated on July 19^th, 2024.

HP Update - HP published an update for their Display Control Software advisory that was originally published on July 15^th, 2024.

Researcher Reports

Perkin Elmer Report - Cyber Danube published a report that describes three vulnerabilities in the Perkin Elmer ProcessPlus measurement software.

Exploits

Softing Exploit - Mr me published a Metasploit module for two vulnerabilities in the Softing Secure Integration Server.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-d58 - subscription required.

Public ICS Disclosures – Week of 4-15-23

This week we have six vendor disclosures from Cisco, Draeger, Omron (2), Philips, and VMware. There are seven vendor updates from Palo Alto Networks, QNAP (5), and Schneider. Finally, we have two exploits for products from VMware.

Advisories

Cisco Advisory - Cisco published an advisory that describes two vulnerabilities in their Industrial Network Director (IND).

Draeger Advisory - Draeger published an advisory that discusses the status of TLS 1.0 which has been deprecated by Internet Engineering Task Force.

Omron Advisory #1 - Omron published an advisory that describes a missing authentication for critical function vulnerability in their CS/CJ series Programmable Controllers.

Omron Advisory #2 - Omron published an advisory that describes seven vulnerabilities in their Factory Interface Network Service message communications protocol.

Philips Advisory - Philips published an advisory that discusses a Windows privilege escalation vulnerability that has been exploited in the wild.

VMware Advisory - VMware has published an advisory that describes two vulnerabilities in their Aria Operations for Logs product.

Updates

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN-OS advisory that was originally published on April 12^th, 2023.

QNAP Update #1 - QNAP published an update for their sudo advisory that was originally published on March 30^th, 2023.

QNAP Update #2 - QNAP published an update for their QTS, QuTS hero, QuTScloud, QVP, and QVR advisory that was originally published on March 30^th, 2023.

QNAP Update #3 - QNAP published an update for their QTS, QuTS hero, QuTScloud, and QVP advisory that was originally published on March 30^th, 2023.

QNAP Update #4 - QNAP published an update for their Buffer Overflow Vulnerability in Samba advisory that was originally published on March 30^th, 2023.

QNAP Update #5 - QNAP published an update for their Buffer Overflow Vulnerabilities in Samba advisory that was originally published on March 30^th, 2023.

Schneider Update - Schneider published an update for their Easy UPS Online Monitoring Software that was originally published on April 11^th, 2023.

Exploits

VMware Exploit #1 - Mr­­_me published a Metasploit module for an improper privilege management vulnerability in the VMware Workspace One product.

VMware Exploit #2 - Mr­­_me published a Metasploit module for three vulnerabilities in the VMware Workspace One product.

 

For more details about these disclosures, including links to 3rd party advisories and brief description of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-c16 - subscription required.

Review – Public ICS Disclosures – Week of 11-5-22 – Part 1 -

This is a busy Saturday after the 2^nd Tuesday. For Part 1 this week we have five OpenSSL 3.0 vendor disclosures from Carrier, Draeger, Eurotech, Palo Alto Networks, and QNAP.  There are 23 other vendor disclosures from Aiphone, Belden, Broadcom (9), Carrier, Fujitsu, GE Gas Power, HP, and HPE (8).

OpenSSL 3.0 Disclosures

Carrier published an OpenSSL 3.0 advisory. Carrier reports that no products are affected.

Draeger published an OpenSSL 3.0 advisory. Draeger reports that their medical devices are not affected.

Eurotech published an OpenSSL 3.0 advisory. Eurotech reports that none of their products are affected.

Palo Alto Networks updated their OpenSSL 3.0 advisory. They report that none of their products are affected.

QNAP published an OpenSSL 3.0 advisory. QNAP reports that their products are not affected.

Other Vendor Disclosures

Aiphone Advisory - Aiphone published an advisory that describes an information disclosure vulnerability in their GT Entrance Station product.

Belden Advisory - Belden published an advisory that discusses two unauthorized access vulnerabilities in their Provise and Hirschmann network management products.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an off-by-one error vulnerability in their Brocade SANnav.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an infinite loop vulnerability in undisclosed products (probably Brocade SANnav).

Broadcom Advisory #3 - Broadcom published an advisory that discusses an out-of-bounds write in their Brocade SANnav product.

Broadcom Advisory #4 - Broadcom published an advisory that describes an improper storage of sensitive information vulnerability in their Brocade SANnav product.

Broadcom Advisory #5 - Broadcom published an advisory that describes an information exposure vulnerability in their Brocade SANnav product.

Broadcom Advisory #6 - Broadcom published an advisory that describes an information exposure vulnerability in their Brocade SANnav product.

Broadcom Advisory #7 - Broadcom published an advisory that describes weak key exchange vulnerability in their Brocade SANnav product.

Broadcom Advisory #8 - Broadcom published an advisory that describes an information exposure vulnerability in their Brocade SANnav product.

Broadcom Advisory #9 - Broadcom published an advisory that describes a remote code execution vulnerability in their Brocade Fabric OS.

Carrier Advisory - Carrier published an advisory that discusses the Text4Shell vulnerability.

Fujitsu Advisory - Fujitsu published an advisory that discusses eight vulnerabilities in a variety of Fujitsu products.

GE Advisory - GE Gas Power published an advisory that discusses “Malware Persistence in VMWare ESXi Hypervisor”.

HP Advisory - HP published an advisory that describes a privilege escalation vulnerability in the BIOS for a number of HP products.

HPE Advisory #1 - HPE published an advisory that discusses an authentication bypass vulnerability in their B-series SAN Switches.

HPE Advisory #2 - HPE published an advisory that discusses five vulnerabilities in their B-Series SANnav Management Portal.

HPE Advisory #3 - HPE published an advisory that discusses an improper input validation vulnerability in their Synergy Servers.

HPE Advisory #4 - HPE published an advisory that discusses two vulnerabilities in their ProLiant Moonshot Servers.

HPE Advisory #5 - HPE published an advisory that discusses six vulnerabilities in their ProLiant DL/ML Servers.

HPE Advisory #6 - HPE published an advisory that discusses two vulnerabilities in their ProLiant BL/DL/ML Servers.

HPE Advisory #7 - HPE published an advisory that discusses an improper input validation vulnerability in their Apollo Servers.

HPE Advisory #8 - HPE published an advisory that discusses an improper input validation vulnerability in their StoreEasy Servers.

 

For more details about these advisories, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-b51 - subscription required.

Review – Public ICS Disclosures – Week of 3-5-22 – Part 1

It has been a busy week, even without the 2^nd Tuesday disclosures. This will be a three-part report. This week we have thirteen vendor disclosures from Boston Scientific, Broadcom, Carestream, WAGO, Draeger, Eaton (4), GE Gas Power, Genetec, Hitachi Energy, and Johnson Controls.

Boston Scientific Advisory - Boston Scientific published an advisory discussing the Access:7 vulnerabilities.

Broadcom Advisory - Broadcom published an advisory discussing the DirtyPipe vulnerability.

Carestream Advisory - Carestream published an advisory discussing the Access:7 vulnerabilities.

Ecava Advisory - Incibe CERT published an advisory discussing eight vulnerabilities in the Ecava IntegraXor.

WAGO Advisory - VDE CERT published an advisory describing a cross-site scripting vulnerability in various WAGO PLCs.

Draeger Advisory - Draeger published an advisory discussing the PwnKit vulnerability.

Eaton Advisory #1 - Eaton published an advisory describing a cross-site scripting vulnerability in their Intelligent Power Manager.

Eaton Advisory #2 - Eaton published an advisory describing a cross-site scripting vulnerability in their Intelligent Power Manager.

Eaton Advisory #3 - Eaton published an advisory describing a cross-site scripting vulnerability int heir Intelligent Power Manager.

Eaton Advisory #4 - Eaton published an advisory describing a cross-site scripting vulnerability int heir Intelligent Power Manager.

GE Gas Power Advisory - GE Gas Power published an advisory discussing the Russia-Ukraine situation.

Genetec Advisory - Genetec published an advisory describing a privilege escalation vulnerability in the Authentication Service role in their Security Center product.

Hitachi Energy Advisory - Hitachi Energy published an advisory describing seven vulnerabilities (two with published exploits) in their RelCare product.

Johnsons Controls Advisory - Johnson Controls published an advisory discussing a deserialization of untrusted data vulnerability in their DSC PowerManage product.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3 - subscription required.

Review - Public ICS Disclosures – Week of 2-5-22 – Part 1

 With this being the Saturday after Patch Tuesday, we have a lot to cover. In Part 1, we have 15 vendor disclosures from Carestream, Dell, Draeger (2), Eaton, GE Healthcare, HPE (4), Moxa (2), Palo Alto Networks, and QNAP (2).

Carestream Advisory - Carestream published an advisory discusses two vulnerabilities in their Image Suite systems.

Dell Advisory - Dell published an advisory discussing two vulnerabilities in their Dell Wyse Windows Embedded System.

Draeger Advisory #1 - Draeger published an advisory describing a use of an outdated operating system vulnerability in their Infinity Acute Care System workstations.

Draeger Advisory #2 - Draeger published an advisory describing an unsupported third-party (TLS 1.0) application vulnerability in their Gateway VF7.2 and VF9.0 products.

Eaton Advisory - Eaton published an advisory discussing the INFRA:HALT vulnerabilities in their easyControl EC4P PLCs.

GE Advisory - GE Healthcare published an advisory discussing the PwnKit vulnerabilities in their product line.

HPE Advisory #1 - HPE published an advisory discussing an insufficient control flow management vulnerability in their HPE ProLiant, Apollo, and Synergy Servers.

HPE Advisory #2 - HPE published an advisory describing 16 vulnerabilities in their HPE ProLiant, Apollo, Edgeline, and Synergy Servers.

HPE Advisory #3 - HPE published an advisory discussing three vulnerabilities in their HPE ProLiant, Apollo, and Synergy Servers.

HPE Advisory #4 - HPE published an advisory discussing five vulnerabilities in their Samba on NonStop products.

Moxa Advisory #1 - Moxa published an advisory describing two vulnerabilities in their MXview Series Network Management Software.

Moxa Advisory #2 - Moxa published an advisory describing a hard-coded credentials vulnerability in their  EDR-G903 Series, EDR-G902 Series, and EDR-G810 Series Secure Routers.

Palo Alto Advisory - Palo Alto Networks published an advisory describing a URL filtering vulnerability in their PAN-OS software.

QNAP Advisory #1 - QNAP published an advisory discussing three vulnerabilities in Samba.

QNAP Advisory #2 - QNAP published an advisory describing an improper authentication vulnerability in their Kazoo Server.

 

For more information on these advisories, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2 - subscription required.

Review - Public ICS Disclosures – Week of 1-1-22 – Part 1

This was a relatively light week for ICS disclosures, but because of the continuing response to the  Log4Shell vulnerabilities, this will be a two part report.

This week we have ten vendor disclosures from Draeger, Hitachi, Kunbus, Moxa (2), QNAP (2), Texas Instruments, VMware, and Yokogawa. There was an update for an advisory for products from IDEC. There are also nine researcher reports for products from Siemens (8) and VMware. Finally, we have one exploit published for products from Siemens.

Draeger Advisory - Drager published an advisory discusses the use of the out-of-support TLS 1.0 and TLS 1.1.

Hitachi Advisory - Hitachi published an advisory discussing 27 vulnerabilities in their Disc Array Systems.

Kunbus Advisory - Kunbus published an advisory describing two vulnerabilities in their Revolution Pi base modules.

Moxa Advisory #1 - Moxa published an advisory discussing the DNSpooq vulnerabilities in their AWK-3131A/4131A/1137C/1131A Series of products.

Moxa Advisory #2 - Moxa published an advisory describing a memory leak vulnerability in their EDR-G903, EDR-G902, and EDR-810 Series Secure Routers.

QNAP Advisory #1 - QNAP published an advisory describing a code execution vulnerability in their NAS running QVPN Service product.

QNAP Advisory #2 - QNAP published an advisory describing cross-site scripting vulnerability in their TFTP Server.

TI Advisory - TI published an advisory discussing the BrakTooth vulnerabilities in their dual-mode Bluetooth products.

VMware Advisory - VMware published an advisory describing a heap overflow vulnerability in their Workstation, Fusion and ESXi products.

Yokogawa Advisory - Yokogawa published an advisory describing seven vulnerabilities in their CENTUM and Exaopc products.

IDEC Update - JPCERT published an update for their IDEC PLC advisory that was originally published on December 24^th, 2021.

Siemens Reports - The Zero Day Initiative published eight reports about vulnerabilities in the Siemens JT2Go products.

VMware Report - USD HeroLab published a report describing a hidden functionality vulnerability in the VMware Workspace ONE Intelligent Hub.

Siemens Exploit - RoseSecurity published an exploit for a denial of service vulnerability in the Siemens S7 Layer 2 product.

For more details about these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1 - subscription required.

Review - Public ICS Disclosures – Week of 12-10-21 – Part 1

This week I am going to have to do a three-part report instead of the standard two-part for the weekend following 2^nd Tuesday. Part 3 will deal with just Log4Shell advisories. So, for Part 1, we have 17 vendor advisories from Braun (2), Draeger, FANUC, Hitachi Energy (4), HPE, Mitsubishi Electric, Moxa, Rockwell Automation, QNAP (3), Sick, and VMware (2).

Braun Advisory #1 - Braun (USA) published an advisory discussing the NUCLEUS:13 vulnerabilities.

Braun Advisory #2 - Braun (USA) published an advisory discussing the INFRA:HALT vulnerabilities.

Draeger Advisory - Draeger published an advisory describing a privilege escalation vulnerability in their Service Connect Gateway.

FANUC Advisory - FANUC published an advisory describing two vulnerabilities in their Robot Controllers.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their PWC600 controller.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their GMS600 monitoring device.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their Relion REB500 intelligent electronic devices (IEDs).

Hitachi Energy Advisory #4 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their Relion 670, 650 series and SAM600-IO IEDs.

HPE Advisory - HPE published an advisory describing a buffer overflow vulnerability in their HPE Gen10 and Gen10 Plus Servers.

Mitsubishi Advisory - Mitsubishi published an advisory discussing three of the INFRA:HALT vulnerabilities in their MELSEC Series Remote I/O.

Moxa Advisory - Moxa published an advisory describing a command injection vulnerability in their NPort W2150A/W2250A Series Serial Device Servers.

Rockwell Advisory - Rockwell published an advisory discussing two vulnerabilities in their 1783 network address translation router (NATR).

QNAP Advisory #1 - QNAP published an advisory describing a stack-based buffer overflow vulnerability in their Surveillance Station.

QNAP Advisory #2 - QNAP published an advisory describing a reflected XSS vulnerability in their Kazoo Server.

QNAP Advisory #3 - QNAP published an advisory describing an improper authentication vulnerability in their Qfile for Android application.

Sick Advisory - Sick published an advisory describing three vulnerabilities in their SOPAS ET software.

VMware Advisory #1 - VMware published an advisory describing a server side request forgery in their  ONE UEM console.

VMware Advisory #2 - VMware has published an advisory describing two vulnerabilities in their Workspace ONE Access product.

For more details on these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-66f - subscription required.

Review - Public ICS Disclosures – Week of 11-6-21 – Part 1

This week we have twelve vendor disclosures from Blackberry, Draeger, Open Design Alliance, HPE (4), Milestone, Phoenix Contact, QNAP, and VMware (2). There is also an update from CODESYS. Finally, we have a research report from Forescout on the plethora of TCP/IP vulnerability disclosures.

I will cover the remaining Siemens and Schneider advisories and updates that were published Tuesday, but not yet covered by NCCIC-ICS in Part 2.

Blackberry Advisory - Blackberry published an advisory describing three vulnerabilities in their Protect for Windows product.

Draeger Advisory - Draeger published an advisory discussing the NUCLEUS:13 vulnerabilities.

ODA Advisory - Incibe Cert published an advisory describing nine vulnerabilities in the ODAViewer.

HPE Advisory #1 - HPE published an advisory describing an arbitrary code execution vulnerability in their ProLiant Gen10 Plus Servers.

HPE Advisory #2 - HPE published an advisory describing 15 vulnerabilities in their ProLiant and Apollo Gen10 and Gen10 Plus servers.

HPE Advisory #3 - HPE published an advisory discussing  three vulnerabilities in their ProLiant, Apollo, Synergy Gen10 and Gen10 Plus Servers.

HPE Advisory #4 - HPE published an advisory discussing an escalation of privilege vulnerability in their ProLiant, Apollo, Edgeline, and Synergy Servers.

Milestone Advisory - Milestone published an advisory describing an arbitrary file access vulnerability in their XProtect DLNA server.

Phoenix Contact Advisory - Phoenix Contact published an advisory describing two vulnerabilities in their FL MGUARD 1102/1105 products.

QNAP Advisory - QNAP published an advisory describing a cross-site scripting vulnerability in their NAS running QmailAgent.

VMware Advisory #1 - VMware published an advisory describing a privilege escalation vulnerability in their vCenter Server.

VMware Advisory #2 - VMware published an advisory discussing a denial-of-service vulnerability in their Tanzu Application Service for VMs.

CODESYS Update - CODESYS published an update for their V2 web server advisory that was originally published on October 25, 2021.

TCP/IP Vulnerability Report - Forescout published an overview report on the recent spate of TCP/IP stack vulnerability reports.

For more details on these advisories and updates, including links to 3^rd party reports, researcher reports and exploits, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11 - subscription required.

Review - Public ICS Disclosures – Week of 9-25-21

 This week we have seven vendor disclosures from BD, Dell, Festo, Draeger (2), Philips, and Siemens.

BD Advisory - BD published an advisory discussing three vulnerabilities in their HealthSight, Knowledge, Pyxis, Kiestra, and Alaris products.

Dell Advisory - Dell published an advisory discussing two vulnerabilities in their Wyse ThinOS product.

Festo Advisory - CERT-VDE published an advisory discussing four vulnerabilities in the Festo SBRD-Q, SBOC-Q, and SBOI-Q video system products.

Draeger Advisory #1 - Draeger published an advisory describing a privilege escalation vulnerability in their Protector Software.

Draeger Advisory #2 - Draeger published an advisory discussing the BadAlloc (WindRiver version) vulnerabilities.

Philips Advisory - Philips published an advisory discussing the most recent VMware advisory.

Siemens Advisory - Siemens published an advisory describing ten vulnerabilities in their Solid Edge products.

For more details about these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-240 - subscription required.

 

Review - Public ICS Disclosures – 9-10-21

This week we have twelve vendor disclosures from ABB, BD, Draeger, Honeywell, Johnson Controls, Mitsubishi, Philips, and QNAP (5). There are also three updates from ABB, Aruba, and Yokogawa. We also have thirteen researcher reports for products from ECOA. Finally, we have an exploit for products from Geutebruck.

ABB Advisory - ABB published an advisory describing six vulnerabilities in their EIBPORT product.

BD Advisory - BD published an advisory describing four vulnerabilities in their BD Alaris and BD FocalPoint products.

Draeger Advisory - Draeger published an advisory discussing the FragAttacks WiFi vulnerabilities.

Honeywell Advisory - Honeywell published a notice announcing the availability of new versions of their VMS and NVR Software that contain fixes for unspecified security vulnerabilities.

Johnson Controls Advisory - Johnson Controls published an advisory describing an authorization bypass through user controlled key vulnerability in their Kantech KT‐1 door controller.

Mitsubishi Advisory - Mitsubishi published an advisory describing two vulnerabilities in the TCP/IP Protocol Stack of GOT and Tension Controller.

Philips Advisory - Philips published an advisory discussing the PetitPotam exploit.

QNAP Advisory #1 - QNAP published an advisory describing an insufficient HTTP security headers vulnerability in their QTS, QuTS hero, and QuTScloud products.

QNAP Advisory #2 - QNAP published an advisory describing an insufficiently protected credentials vulnerability in their QSW-M2116P-2T2S and QuNetSwitch products.

QNAP Advisory #3 - QNAP published an advisory describing two stack-based buffer overflow vulnerabilities in their NVR Storage Expansion.

QNAP Advisory #4 - QNAP published an advisory describing a stack-based buffer overflow vulnerability in their QUSBCam2.

QNAP Advisory #5 - QNAP published an advisory describing a stack-based buffer overflow vulnerability in their QTS, QuTS hero, and QuTScloud products.

ABB Update - ABB published an update for their Base Software for SoftControl advisory that was originally published on June 23^rd, 2021.

Aruba Update - Aruba published an update for their Aruba OS advisory that was originally published on August 31^st, 2021.

Yokogawa Update - Yokogawa published an update for their VB6 Runtime advisory that was originally published on April 23^rd, 2021.

ECOA Reports - Zero Science published thirteen reports about vulnerabilities in the ECOA Building Automation System.

Geutebruck Exploit - Titouan Lazard published a Metasploit module for seven vulnerabilities in the Geutebruck G-Cam E2 and G-Code cameras.

For more details about the various advisories, including links to third-party reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-9-10-21 - subscription required.

Review - Public ICS Disclosures – Week of 7-24-21

This week we have five PrintNightmare disclosures from Boston Scientific, Carestream, PEPPERL+FUCHS, Draeger, and Spacelabs Healthcare. There were four other vendor disclosures from CODESYS. We also have two updates from CODESYS.

PrintNightmare Advisories

Boston Scientific published an advisory discussing the PrintNightmare vulnerabilities.

Carestream published an advisory discussing the PrintNightmare vulnerabilities.

CERT-VDE published an advisory discussing the PrintNightmare vulnerabilities in products from PEPPERL+FUCHS.

Draeger published an advisory discussing the PrintNightmare vulnerabilities.

Spacelabs published an advisory discussing the PrintNightmare vulnerabilities.

Other Disclosures

CODESYS published an advisory describing a files or directories accessible to external parties vulnerability in their CODESYS V3 web server.

CODESYS published an advisory describing a null pointer dereference vulnerability in their CODESYS Gateway V3.

CODESYS published an advisory describing seven vulnerabilities in their CODESYS Development System V3.

CODESYS published an advisory describing a null pointer dereference vulnerability in their CODESYS EtherNetIP.

CODESYS published an update for their CODESYS V3 web server advisory that originally published on May 19^th, 2021.

CODESYS published an update for their CODESYS V3 Runtime Toolkit for VxWorks advisory that was originally published on May 19^th, 2021.

For more details on these advisories and updates, including links to proof-of-concept code, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-28e - subscription required.

Review - Public ICS Disclosures – Week of 6-19-21

This week we have 16 vendor disclosures from ABB, Aveva, Weidmueller, Draeger, Phoenix Contact (7), QNAP, Sick, SonicWall, and VMware (2). There are exploit reports for products from VMWare and HPE.

Miscellaneous Advisories

ABB Advisory - ABB published an advisory discussing CodeMeter vulnerabilities in their Automation Builder, Drive Application Builder and Virtual Drive products.

Aveva Advisory - Aveva published an advisory describing five vulnerabilities in the AutoBuild service of their System Platform.

Weidmueller Advisory - CERT-VDE published an advisory describing twelve vulnerabilities in the Weidmueller Industrial WLAN devices.

Draeger Advisory - Draeger published an advisory describing an integer overflow or wraparound vulnerability in their Clinical Assistance Package.

QNAP Advisory - QNAP published an advisory describing a command injection vulnerability in their NAS running legacy versions of QTS.

Sick Advisory - Sick published an advisory describing an inadequate SSH configuration vulnerability in their Visionary-S CX product.

SonicWall Advisory - SonicWall published an advisory describing a buffer overflow vulnerability in their SonicOS.

Phoenix Contact Advisories

Phoenix Contact published an advisory describing an undocumented access vulnerability in their AXL F BK and IL BK products.

Phoenix Contact published an advisory describing a denial of service vulnerability in their ILC1x1 Industrial controllers.

Phoenix Contact published an advisory describing a file parsing memory corruption vulnerability in their Automation Worx Software Suite.

Phoenix Contact published an advisory describing a race condition vulnerability in their r PLCNext, SMARTRTU AXC, CHARX control modular and EEM-SB37x products.

Phoenix Contact published an advisory describing two vulnerabilities in their PLCNext, ILC 2050 BI, FL MGUARD DM UNLIMITED, TC ROUTER und CLOUD CLIENT products.

Phoenix Contact published an advisory describing three vulnerabilities in their FL SWITCH SMCS series.

VMware Advisories

VMware published an advisory describing a local privilege escalation vulnerability in their VMware Tools, VMRC and VMware App Volumes products.

VMware published an advisory describing an authentication bypass vulnerability in their Carbon Black App Control product.

Exploits

CHackA0101 published an exploit for an improper privilege management vulnerability in the VMware vCenter Server.

Jeremy Brown published an exploit for a denial of service vulnerability in the HPE Remote Device Access product.

For more detailed information on the advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-73d  (subscription required)

Public ICS Disclosures – Week of 4-17-21

This week we have two vendor NAME:WRECK disclosures from Carestream and Draeger. We also have nine other vendor disclosures from Aruba Networks (2), Bosch, Advantech, Meinberg, QNAP, VMWare, and Yokogawa (2).

NAME:WRECK Advisories

Carestream published an advisory discussing the NAME:WRECK vulnerabilities. It also addresses the Urgent/11, Ripple20, Amnesia:33, Number:Jack vulnerabilities. Carestream provides generic mitigation measures.

Draeger published and advisory discussing the NAME:WRECK vulnerabilities. Draeger reports that none of its medical devices use the affected stacks.

Aruba Advisories

Aruba published an advisory describing eleven vulnerabilities in their AirWave Management Platform. The vulnerabilities was reported by rceman and harishkumar0394 via BugCrowd, Daniel Jensen, Erik de Jong, and Vidya Bhaskar Tripathi. Aruba has a new version that mitigates the vulnerabilities. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Authentication bypass - CVE-2021-25147,

• Deserialization (2) - CVE-2021-25151 and CVE-2021-25152,

• SQL injection - CVE-2021-25153,

• Privilege escalation - CVE-2021-25154,

• Authenticated XML external entity (3) - CVE-2021-25163, CVE-2021-25164, and CVE-2021-25165,

• Authenticated remote command injection (2) - CVE-2021-25166 and CVE-2021-25167, and

• Authenticated open redirect - CVE-2021-29137

Aruba published an advisory describing ten vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Luke Young, hateshape and S4thi5h via BugCrowd, Daniel Jensen, and Xavier Danest. Aruba has patches that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Unauthenticated server-side request forgery - CVE-2021-29145,

• Authenticated stored cross-site scripting (3) - CVE-2021-29139, CVE-2021-29142, and CVE-2021-29146,

• Unauthenticated XML external entities - CVE-2021-29140,

• Privilege escalation - CVE-2020-7123,

• Authenticated information disclosure - CVE-2021-29138,

• Authenticated command injection - CVE-2021-29147, and

• Authenticated retrieval of sensitive information (2) - CVE-2021-29141 and CVE-2021-29144,

Bosch Advisory

Bosch published an advisory describing 14 vulnerabilities in their Rexroth IoT Gateway and ctrlX CORE products. These are third-party (operating system libraries and the Linux kernel) vulnerabilities. Bosch has updates for one of the affected products, others are pending.

The 14 reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-27815,

• Null pointer dereference - CVE-2020-27830,

• Path traversal - CVE-2020-28374,

• Release of invalid pointer or reference - CVE-2020-28941,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-29568,

• Unchecked return value - CVE-2020-29569,

• Use after free (3) - CVE-2020-29660, CVE-2020-29661, and CVE-2021-20232,

• Incorrect default permissions (2) - CVE-2021-24031 and CVE-2021-24032,

• Incorrect conversion between numeric types (2) - CVE-2021-27218 and CVE-2021-27219 (exploit), and

• Insufficient information - CVE-2021-27803

Advantech Advisory

Incibe-CERT published an advisory describing two file parsing vulnerabilities in the Advantech WebAccess/HMI designer product. The vulnerabilities were reported (here and here) by kimiya via the Zero Day initiative. Advantech is working on mitigation measures.

NOTE: This is likely to be reported by NCCIC-ICS this coming week.

Meinberg Advisory

Meinberg published an advisory describing seven vulnerabilities in their LANTIME products. Meinberg has updated firmware versions to mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• CA certificate check bypass - CVE-2021-3450 (OpenSSL),

• Null pointer dereference - CVE-2021-23840, CVE-2021-23841 (both OpenSSL),

• API overflow of output length - CVE-2021-23840 (OpenSSL),

• Heap-based buffer overflow - CVE-2021-3156 (exploits) (SUDO),

• Cross-site scripting – no CVE, and

• Command line injection – no CVE

QNAP Advisory

QNAP published an advisory describing an improper authorization vulnerability in their NAS running HBS 3 Hybrid Backup Sync. The vulnerability was reported by ZUSO ART. QNAP has a new version that mitigates the vulnerability.

VMWare Advisory

VMWare published an advisory describing a privilege escalation vulnerability in their NSX-T products. The vulnerability is self-reported. VMWare has patches available to mitigate the vulnerability.

Yokogawa Advisories

Yokogawa published an advisory discussing the Meltdown/SPECTRE vulnerabilities in their CENTUM VP Controller FCS products. Yokogawa has new versions that mitigate the vulnerabilities in some of their affected products.

Yokogawa published an advisory discussing the Microsoft® VB6 runtime vulnerabilities. Yokogawa has new versions that mitigate the vulnerabilities.

ICS Public Disclosures – Week of 2-27-21

This week we have eight public disclosures from Bosch, Carestream, ENDRESS+HAUSER, Dell, Draeger, GE Healthcare, Pulse Secure, and VMWare. An update is available for products from Rockwell. There is an end-of-life notice from Honeywell. Finally, there is an exploit for products from VMware.

Bosch Advisory

Bosch published an advisory describing a side-channel key extraction vulnerability in the Bosch cameras and encoders built on platforms CPP-ENC, CPP3, CPP4, CPP5, CPP6, CPP7 and CPP7.3.  This is a third-party vulnerability (NXP). Since this is a chip-based vulnerability, Bosch is only able to provide generic workarounds. The original NinjaLab report on the NXP vulnerability contains proof-of-concept code.

NOTE: This third-party vulnerability was reported earlier in products from Rockwell, other vendors will probably also be affected.

Carestream Advisory

Carestream published an advisory discussing the Google heap-based buffer overflow vulnerability. Carestream provides a list of affected and unaffected products. Carestream will update Chrome in the next product release for the affected products.

ENDRESS+HAUSER Advisory

CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in a number of their products. ENDRESS+HAUSER provides generic workarounds pending development of appropriate mitigation measures in future versions of the product.

Dell Advisory

Dell published an advisory describing two vulnerabilities in their EMC OpenManage Server Administrator. The vulnerabilities were reported by David Yesland from Rhino Security Labs and Tenable. Dell has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass - CVE-2021-21513, and

• Path traversal - CVE-2021-21514

NOTE: The Tenable report contains proof-of-concept code for the

Draeger Advisory

Draeger published an advisory describing an out-of-bounds write vulnerability in their CC-Vision Basic and CC-Vision E-Cal Software. The vulnerability was reported by Mario Ceballos. Draeger had new versions that mitigate the vulnerability. There is no indication that Ceballos has been provided an opportunity to verify the efficacy of the fix.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing the Microsoft Windows TCP/IP vulnerabilities. GE Healthcare reports that they are actively assessing products to see if they are affected.

Pulse Secure Advisory

Pulse Secure has published an advisory discussing the Trickboot vulnerability in their PSA-Series Hardware. Pulse Secure has a BIOS patch available that mitigates the vulnerability.

VMWare Advisory

VMWare published an advisory describing a remote code execution vulnerability in their View Planner product. The vulnerability was reported by Mikhail Klyuchnikov of Positive Technologies. VMware has a security patch that mitigates the vulnerability. There is no indication that Klyuchnikov has been provided an opportunity to verify the efficacy of the fix.

Rockwell Update

Rockwell published an update for their Logix Controllers advisory that was originally published on February 25^th, 2021. The advisory was re-written for clarity.

NOTE: I suspect the NCCIC-ICS will update their advisory on this vulnerability this coming week.

Honeywell EOL Notice

Honeywell published an end-of-life notice for their Pro-Watch 4.3 and Pro-Watch 4.35 products. The products will no longer be supported after September 30th, 2021.

VMWare Exploit

Photubias published an exploit for an unauthenticated file upload vulnerability in the VMware vCenter Server 7.0. The vulnerability was previously reported by VMWare.

Public ICS Disclosure – Week of 8-1-20

This week we have one new SigRed vendor disclosure from Draeger and one Ripple20 vendor update from Schneider.

Draeger Advisory

Draeger published a SigRed advisory announcing that none of their medical devices were affected by those vulnerabilities.

Schneider Update

Schneider published a Ripple20 advisory update for an advisory that was originally published on June 23, 2020 and most recently updated on July 29^th, 2020. The new information includes:

• Updated remediation for Uninterruptible Power Supply (UPS) using NMC2, and

• Corrected affected version and enhanced Remediation/Mitigation version details for Uninterruptible Power Supply (UPS) using NMC2

Public ICS Disclosures – Week of 7-4-20

This week we have three new Ripple20 advisories and one update. We have two additional vendor disclosures for products from Moxa and GE.

Ripple20 Advisories and Updates

HMS published a Ripple20 advisory which provides a list of HMS products which are not affected by the vulnerabilities.

CERT-VDE published a Ripple20 advisory for the MIELE Communication Module XKM3000 L MED. It provides information on affected equipment and announces that: “A security patch will be installed on the devices during regular maintenance and device requalification by the Miele customer service or authorized service partners.”

Draeger published a Ripple20 advisory announcing that Draeger medical devices are not affected.

Braun published a Ripple20 update that lists their Outlook 400ES infusion pump as their only affected product and that they are continuing to review Treck patches for applicability.

Moxa Advisory

Moxa has published an advisory describing two vulnerabilities in their MGate 5105-MB-EIP Series Protocol Gateways. The vulnerabilities were reported by Philippe Lin, Marco Balduzzi, Luca Bongiorni, Ryan Flores, Charles Perine, and Rainer Vosseler via the Zero Day Initiative. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2020-15494, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15493

GE Advisory

GE has published an advisory describing the third-party Ghostcat vulnerability in their APM Connect UDLP 2.8 and earlier products relying upon Apache Tomcat servers. GE provides detailed mitigation measures.

NOTE: As with all third-party vulnerabilities, there is a potential for other ICS vendors to be affected by the same problem.

Public ICS Disclosures – Week of 6-13-20

This week we have eight vendor disclosures (3 for the Ripple20 vulnerabilities) for products from Beckhoff, Moxa, Medtronic, GE Health, Draeger (2), Rockwell, and BD. There is also a researcher report of a zero-day for products from Inductive Automation.

Ripple20 Advisories

Medtronic published a Ripple20 advisory reporting no impact.

GE Healthcare published a Ripple20 advisory reporting no impact but advising that there may be possible impact to third party components used in combination with GE Healthcare products.

Draeger published a Ripple 20 advisory reporting no impact.

NOTE: “No impact” reports are valuable information. I think the GE nuanced ‘no impact’ report is important where the vendor software may be running on a machine that includes other non-vendor produced software (perhaps including OS?).

Beckhoff Advisory

CERT-VDE published an advisory describing an information leak vulnerability in the Beckhoff TwinCAT RT network driver. The vulnerability is self-reported. Beckhoff has patches that mitigate the vulnerability.

Moxa Advisory

Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDR-G902 Series and EDR-G903 Series Secure Routers. The vulnerability was reported by Tal Keren from Claroty. Moxa has new firmware to mitigate the vulnerability. There is no indication that Keren has been provided an opportunity to verify the efficacy of the fix.

Draeger Advisory

Draeger published an advisory describing an improper input validation vulnerability in their Perseus A500 product. The vulnerability is self-reported. Draeger has new software that mitigates the vulnerability.

Rockwell Vulnerability

Rockwell published an advisory describing a path traversal advisory in their FactoryTalk Linx software. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference. Rockwell has a patch that mitigates the vulnerability.

NOTE: Rockwell reports that they had previously disclosed this vulnerability in an advisory that was published on June 11^th, 2020. I suppose that the Pwn2Own announcement could have been included as an update to that advisory. This may be why NCCIC-ICS has not picked up this advisory.

BD Advisory

BD published an advisory describing a remote code execution vulnerability in a number of BD products that use the Microsoft Windows 10®. This is a third-party (MS) SMBv3 server vulnerability. BD is currently working to test and validate the Microsoft patch on the affected products.

Inductive Automation Advisory

The Zero Day Initiative published an advisory describing a deserialization of untrusted data information disclosure vulnerability in the Inductive Automation Ignition product. The vulnerability was reported by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team. This vulnerability was discovered in the ZDI Pwn2Own competition in this year’s S4 Security conference and reported to the vendor. The vendor has not been able to provide an estimated fix date to either ZDI or NCCIC-ICS. This is effectively a zero-day vulnerability.