Review – Public ICS Disclosures – Week of 3-11-23 – Part 1

This week we have nine vendor disclosures from Aruba Networks, Carrier, Contec, Hitachi Energy, HPE (2), InHand Networks, Moxa, and Phoenix Contact. There are five vendor updates from HPE (4) and Moxa. Finally, we have three exploits for products from Eaton, Riello, and Fortinet.

In Part 2 this week I will look at disclosures from Schneider and Siemens.

Advisories

Aruba Advisory - Aruba published an advisory that describes eight vulnerabilities in their ClearPass Policy Manager program.

Carrier Advisory - Carrier published an advisory that discusses a server side request forgery vulnerability in their g LenelS2 supported platform.

Contec Advisory - Contec published an advisory that describes three vulnerabilities in their CONPROSYS M2M Gateway Series, M2M Controller Series products.

Hitachi Energy Advisory - Hitachi published an advisory that discusses a permissions, privileges, and access control vulnerability in their MicroSCADA Pro/X SYS600 Products.

HPE Advisory #1 - HPE published an advisory that discusses eight vulnerabilities in their NonStop servers.

HPE Advisory #2 - HPE published an advisory that describes a cross-site scripting vulnerability in their Integrated Lights-Out products.

InHand Advisory - InHand published an advisory that describes five vulnerabilities in their InRouter615-S industrial routers.

Moxa Advisory - Moxa published an advisory that describes two improper certificate validation vulnerabilities in their NPort 6000 Series and Windows Driver Manager products.

Phoenix Contact Advisory - Phoenix Contact published an advisory that discusses five vulnerabilities in their ENERGY AXC PU product.

Updates

HPE Update #1 - HPE published an update for their FlexNetwork and FlexFabric Switches advisory that was originally published on July 30^th, 2022.

HPE Update #2 - HPE published an update for their OneView for VMware vCenter advisory that was originally published on February 17^th, 2023.

HPE Update #3 - HPE published an update for their ProLiant Moonshot Servers advisory that was originally published on November 8^th, 2022.

HPE Update #4 - HPE published an update for their ProLiant BL/DL/ML Servers advisory that was originally published on November 8^th, 2022.

Moxa Update - Moxa published an update for their UC Series advisory that was originally published on November 29^th, 2022 and most recently updated on February 9^th, 2023.

Exploits

Eaton Exploit - Yehia Elghaly published an exploit for a denial-of-service vulnerability in the Eaton Webpower UPS.

Reillo Exploit - Ricardo Jose Ruiz Fernandez published an exploit for shell bypass vulnerability in the Riello UPS system.

Fortinet Exploit - Jheysel-r7, Zach Hanley, and Gwendal Guegniaud published a Metasploit module for an externally controlled reference to a resource in another sphere vulnerability in the FortiNAC.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-d50  - subscription required.

Review – 11 Advisories and 1 Update Published – 1-12-23

Today, CISA’s NCCIC-ICS published eleven control system security advisories for products from Siemens (4), Johnson Controls, SAUTER Controls, Panasonic, InHand Networks, RONDS, Sewio, and Hitachi Energy. They also updated a medical device security advisory for products from Philips. Siemens published two other advisories on Tuesday that were not addressed by NCCIC-ICS, I will cover them this weekend.

NOTE: NCCIC-ICS added a notice to each of the four Siemens advisories published today that: “Beginning January 10, 2023, CISA will no longer be updating historical security advisories for Siemens product vulnerabilities. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).” This will result in a significant reduction in the workload for NCCIC-ICS in the week of Cybersecurity Tuesday.

Advisories

Siemens Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Siemens Mendix SAML Module.

Siemens Advisory #2 - This advisory describes a missing immutable root of trust in hardware vulnerability in the Siemens S7-1500 CPU product family.

Siemens Advisory #3 - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens Solid Edge product.

Siemens Advisory #4 - This advisory describes two vulnerabilities in the Siemens Automation License Manager (ALM).

Johnson Controls Advisory - This advisory describes an insufficiently protected credentials vulnerability in the Johnson Controls Metasys ADS/ADX/OAS Servers.

SAUTER Advisory - This advisory describes two vulnerabilities in the SAUTER Controls Nova 200–220 Series (PLC 6).

Panasonic Advisory - This advisory describes a cross-site request forgery vulnerability in versions of the Panasonic Sanyo CCTV Network Camera.

InHand Advisory - This advisory describes five vulnerabilities in the InHand InRouter302 and InRouter615.

RONDS Advisory - This advisory describes two vulnerabilities in the RONDS Equipment Predictive Maintenance (EPM) product.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Lumada Asset Performance Management product.

Updates

Philips Update - This update provides additional information on an advisory that was originally published on November 18^th, 2021.

 

For more details on these advisories, including links to researcher reports, exploits, and a discussion about problems with CVE numbers, see my article to CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/11-advisories-and-1-update-published-798 - subscription required.

Review – Public ICS Disclosures – Week of 10-22-22

This week we have six vendor disclosures from Aruba Networks, HP, InHand Networks, Sick, and Wireshark (2). We also have a vendor update from VMware. Then there are two researcher reports for products from Delta Electronics. Finally, we have an exploit for products from Siemens.

 

Aruba Advisory - Aruba published an advisory describing sixteen vulnerabilities in their ArubaOS.

HP Advisory - HP published an advisory that describes a denial-of-service vulnerability in a number of their printers.

InHand Advisory - InHand published an advisory that describes six vulnerabilities (with proof-of-concept code available) in their Industrial Router IR302.

Sick Advisory - Sick reportedly published an advisory that describes a password recovery vulnerability in the SIMs products, but a problem with their PSIRT web page does not allow access to the link to the advisory.

VMware Advisory - VMware published an advisory that discusses two vulnerabilities (one with known exploit) in the Cloud Foundation product.

Wireshark Advisory #1 - Wireshark published an advisory that describes a code injection vulnerability in their OPUS dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a code injection vulnerability in their USB-HID dissector.

Delta Report #1 - Tenable published a report (with proof of concept code) describing two SQL injection vulnerabilities in the Delta DIAEnergie product.

NOTE: These appear to be separate from the three SQL injection vulnerabilities reported by NCCIC-ICS earlier this week.

Delta Report #2 - AWESEC published a report describing an SQL injection vulnerability in the Delta DIAEnergie product.

NOTE: This appears to be separate from the three SQL injection vulnerabilities reported by NCCIC-ICS earlier this week.

Siemens Exploit - RoseSecurity published a Metasploit module for an authentication bypass vulnerability in the Siemens APOGEE PXC BACnet Automation Controllers and TALON TC BACnet Automation Controllers.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-89e - subscription required.

Review – Public ICS Disclosures – Week of 5-7-22 – Part 1

Happy Saturday after 2^nd Tuesday. It is another busy week in ICS disclosures. In Part 1 we have 25 vendor disclosures from Hitachi, Hitachi Energy (2), HP (7), HPE (11), InHand Networks, and Palo Alto Networks (4). There are lots of Intel vulnerabilities lurking here.

Hitachi Advisory - Hitachi published an advisory that discusses 69 vulnerabilities in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses an off-by-one error vulnerability (with multiple exploits available) in their TXpert Hub CoreTec 4 product.

Hitachi Energy Advisory #2 – Hitachi Energy published an advisory that describes three vulnerabilities in their TXpert Hub CoreTec 4 product.

HP Advisory #1 - HP published an advisory that discusses 28 vulnerabilities in a variety of HP products that utilize the AMD Client UEFI Firmware.

HP Advisory #2 - HP published an advisory that describes a privilege escalation vulnerability in their Jumpstart software in a variety of HP products.

HP Advisory #3 - HP published an advisory that discusses 8 vulnerabilities in a variety of HP products that utilize Intel® Solid State Drive (SSD) or Intel Optane™ SSD products.

HP Advisory #4 - HP published an advisory that discusses a privilege escalation vulnerability in a variety of HP products that utilize Intel® Boot Guard or Intel® Trusted Execution Technology (TXT).

HP Advisory #5 - HP published an advisory that discusses 15 vulnerabilities in a variety of HP products that utilize the Intel 2022.1 IPU BIOS.

HP Advisory #6 - HP published an advisory that describes two vulnerabilities in a variety of HP products that utilize the HP PC BIOS.

HP Advisory #7 - HP published an advisory that describes five vulnerabilities in their UEFI Firmware used in a variety of HP products.

HPE Advisory #1 - HPE published an advisory that describes eleven vulnerabilities in their HPE ProLiant and Apollo Servers.

HPE Advisory #2 - HPE published an advisory that discusses a disclosure of information vulnerability in their ProLiant DL/ML/MicroServer Servers.

HPE Advisory #3 - HPE published an advisory that discusses two vulnerabilities in their PE ProLiant BL/DL/ML/XL and Apollo Servers.

HPE Advisory #4 - HPE published an advisory that discusses a disclosure of information vulnerability in their HPE ProLiant ML/DL/MicroServer Servers.

HPE Advisory #5 - HPE published an advisory that discusses eleven vulnerabilities in their Synergy Servers.

HPE Advisory #6 - HPE published an advisory that discusses an improver validation of array index vulnerability (with publicly available exploit) in their Nimble Storage product.

HPE Advisory #7 - HPE published an advisory that discusses two vulnerabilities in their Synergy Servers.

HPE Advisory #8 - HPE published an advisory that discusses eleven vulnerabilities in their ProLiant DX Servers.

HPE Advisory #9 - HPE published an advisory that discusses two vulnerabilities in their ProLiant DX Servers.

HPE Advisory #10 - HPE published an advisory that discusses two vulnerabilities in various HPE storage products.

HPE Advisory #11 - HPE published an advisory that discusses eleven vulnerabilities in various HPE storage products.

InHand Advisory - InHand published an advisory that describes 17 vulnerabilities in their e Industrial Router IR302.

Palo Alto Advisory #1 - Palo Alto published an advisory that describes an improper neutralization of special elements vulnerability in their PAN-OS.

Palo Alto Advisory #2 - Palo Alto published an advisory that describes an uncontrolled search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #3 - Palo Alto published an advisory that describes a privilege escalation vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #4 - Palo Alto published an advisory that describes an incorrect authorization vulnerability in their Cortex XSOAR.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5 - subscription required.

Review - 5 Advisories and 2 Updates Published – 11-30-21

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Hitachi Energy, Johnson Controls, Delta Electronics, Mitsubishi Electric, and Xylem. They also updated two advisories for products from multiple RTOS and InHand Networks.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Retail Operations and Counterparty Settlement and Billing (CSB) Product.

NOTE: I briefly discussed the two supporting Hitachi Energy advisories along with five others on November 6^th, 2021.

Johnson Controls Advisory - This advisory discusses an off-by-one error vulnerability in the Johnson Controls Controlled Electronic Management Systems Ltd. CEM Systems AC2000.

Delta Electronics Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta Electronics CNCSoft software management software.

Mitsubishi Advisory - This advisory describes three vulnerabilities in the Mitsubishi MELSEC CPU module and MELIPC Series software management platform.

Xylem Advisory - This advisory describes an SQL injection vulnerability in the Xylem Aanderaa GeoView web-based data display.

Multiple RTOS Update - This update provides additional information on an advisory that was originally published on April 29^th, 2021 and most recently updated on August 17^th, 2021.

NOTE 1: I briefly discussed the reported Hitachi Energy RTU500 advisory on November 20^th.

NOTE 2: I briefly discussed the reported Hitachi Energy MSM advisory on August 21^st, 2021.

InHand Networks Update - This update provides additional information on an advisory that was originally published on October 7^th, 2021.

NOTE: InHand went from a notation of “InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities” to having a vendor security advisories page with vulnerability reporting contact information and PGP public key listing. I hope they keep it up; it has been added to my weekly checklist.

For more details on these advisories and updates, including links to 3^rd party vendors and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published - subscription required.

Review - 7 Advisories Published – 10-7-21

Today CISA’s NCCIC-ICS published seven control system security advisories for products from FATEK Automation (2), InHand Networks, Mitsubishi Electric, Johnson Controls (2), Mobile Industrial Robots

FATEK Advisory #1 - This advisory describes a stack-based buffer overflow vulnerability in the FATEK Communication Server.

FATEK Advisory #2 - This advisory describes seven vulnerabilities in the FATEK WinProladder.

InHand Advisory - This advisory describes 13 vulnerabilities in the In Hand IR615 Router.

Mitsubishi Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Mitisubishi MELSEC iQ-R Series C Controller Module R12CCPU-V.

Johnson Controls Advisory #1 - This advisory describes an integer overflow or wraparound vulnerability in the Johnson Controls exacqVision Server 32-bit.

Johnson Controls Advisory #2 - This advisory describes an improper privilege management vulnerability in the Johnson Controls exacqVision Server Bundle.

Mobile Industrial Robots - This advisory describes ten vulnerabilities in the MiR MiR100, MiR200, MiR250, MiR500, MiR1000, MiR Fleet products.

NOTE: NCCIC-ICS reports that both FATEK and InHand have failed to cooperate with the vulnerability mitigation coordination activities of the agency.

For more details about the advisories, including lots of information (including exploit links) about the Mobile Industrial Robots advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-published-10-7-21 - subscription required.