This week we have 15 vendor disclosures from Fauscher, GE Gas Power, HPE (4), Ingeteam, Mitsubishi, Phoenix Contact, QNAP (3), Schweitzer Engineering Labs (2), and Zyxel. There are five vendor updates for products from Broadcom (2) and Palo Alto Networks (3). There are also two researcher reports for products from Atos and Royal Aps. Finally, we have an exploit for products from Ivanti.
Advisories
Frauscher Advisory – CERT-VDE published an advisory that describes
three vulnerabilities in their FDS101 for FAdC/FAdCi product.
GE Advisory - GE published an
advisory that discusses seven vulnerabilities in the Nozomi Guardian/CMC.
HPE Advisory #1 - HPE published an
advisory that discusses two vulnerabilities in their NonStop Products.
HPE Advisory #2 - HPE published an
advisory that describes four incomplete cleanup vulnerabilities in their NonStop
Products.
HPE Advisory #3 - HPE published an
advisory that discusses two improper initialization vulnerabilities in
their ProLiant AMD XL Servers.
HPE Advisory #4 - HPE published an
advisory that discusses two improper initialization vulnerabilities in
their ProLiant AMD DL Servers.
Ingeteam Advisory - Incibe-CERT published an
advisory that describes three input validation vulnerabilities in the
Ingeteam INGEPAC DA3451 and INGEPAC FC5066.
Mitsubishi Advisory - Mitsubishi published an
advisory that describes an incorrect default permissions vulnerability in
their FA Engineering Software products.
QNAP Advisory #1 - QNAP published an advisory
that describes a classic buffer overflow vulnerability in their Multimedia
Console products.
QNAP Advisory #2 - QNAP published an advisory
that describes a classic buffer overflow vulnerability in their legacy versions
of QTS products.
QNAP Advisory #3 - QNAP published an advisory
that discusses three vulnerabilities in their QTS, QuTS hero, and QuTScloud.
SEL Advisory #1 - SEL published an
advisory that reports vulnerabilities in their Protocol Services.
SEL Advisory #2 - SEL published an
advisory that reports vulnerabilities in their Blueframe OS.
Zyxel Advisory - Zyxel published an advisory that discusses the report of a 2017 vulnerability in their EMG2926-Q10A product being listed on CISA Known Exploited Vulnerabilities (KEV) catalog.
Updates
Broadcom Update #1 - Broadcom published an
update for their Apache HTTP Server advisory that was originally published
on August 1st, 2023.
Broadcom Update #2 - Broadcom published an
update for their HTTP Server advisory that was originally published on August
1st, 2023.
Palo Alto Networks Update #1 - Palo Alto Networks
published an
update for their TunnelCrack vulnerabilities
advisory that was originally published on August 16th, 2023 and most
recently updated on August 21st.
Palo Alto Networks Update #2 - Palo Alto Networks
published an
update for their Cortex XDR Agent advisory that was published on September
9th.
Palo Alto Networks Update #3 - Palo Alto Networks published an update for their BGP Software advisory that was published on September 13th, 2023.
Reports
Atos Report - SEC Consult published a
report describing two vulnerabilities in the Atos Unify OpenScape. The
report includes proof-of-concept code.
Royal Aps Report - Zero Science published a report that describes a heap memory corruption vulnerability in the Royal Apps RoyalTSX remote access tool.
Exploit
Ivanti Exploit - Ege Balci published a Metasploit
module for an out-of-bounds write vulnerability in the Ivanti Avalanche MDM.
For more details about these disclosures, including links to
3rd party advisories and researcher reports, see my article at CFSN Detailed
Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-53a
- subscription required.
Posts
