Review – Public ICS Disclosures – Week of 7-6-23 – Part 1

This week we have eight vendor disclosures about the Blast-Radius and RegreSSHion vulnerabilities. We have 25 additional vendor disclosures from BD, FortiGuard (3), Hitachi, Moxa, OPC Foundation, Palo Alto Networks (5), Pepperly+Fuchs (2), Philips, Schneider (4), SEL, and VMware (7).

Blast-RADIUS Advisories

Cisco published an advisory that provides a list of products currently under review as being potentially affected.

HPE published an advisory that provides a list of Aruba Networking products affected.

Palo Alto Networks published an advisory that provides a list of affected products and provides work arounds.

WatchGuard published an advisory that provides a list of products that they are investigating with regards to this vulnerability.

RegreSSHion Advisories

Cisco published an update that updated the lists of affected products, unaffected products, and products currently under review.

HMS published an advisory that provides a list of affected products and reports that: “All servers have been updated on 10/07/2024. No further actions are needed.”

Philips published an advisory that reports that none of their products are affected.

Synology published an advisory that reports that none of their products are affected.

Advisories

BD Advisory - BD published an advisory that discusses an improper privilege management vulnerability in multiple BD products.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an improper access control vulnerability in their FortiExtender authentication component.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes an incorrect parsing of numbers with different radices vulnerability in their FortiOS and FortiProxy IP address validation feature.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes a cross-site scripting vulnerability in their FortiOS and FortiProxy's web SSL VPN UI.

Hitachi Advisory - Hitachi published an advisory that discuses 70 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities.

Moxa Advisory - Moxa published an advisory that discusses a use after free vulnerability (that is listed in CISA’s Known Exploited Vulnerabilities Catalog) in multiple Moxa products.

OPC Foundation - The OPC Foundation published an advisory that describes an allocation of resources without limits or throttling vulnerability in their UA-.NETStandard product.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that describes a hard-coded password vulnerability in their Expedition VM product.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes an improper input validation vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes an improper verification of cryptographic signature vulnerability in their Cortex XDR Agent.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that describes an unrestricted upload of file with dangerous type vulnerability in their PAN-OS products.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes a missing authentication for critical function vulnerability in the Network Expedition product.

Pepperl+Fuchs Advisory #1 - CERT-VDE published an advisory that discusses a use after free vulnerability in their Smart-Ex 02 and Smart-Ex 03 products.

Pepperl+Fuchs Advisory #2 - CERT-VDE published an advisory that describes two vulnerabilities in the Pepperl+Fuchs OIT-XXXX products.

Philips Advisory - Philips published an advisory that discusses a TeamViewer vulnerability. Philips reports that none of their products are affected.

Schneider Advisory #1 - Schneider published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Wiser Home Controller WHC-5918A.

Schneider Advisory #2 - Schneider published an advisory that describes three vulnerabilities in their Foxboro DCS Core Control Services.

Schneider Advisory #3 - Schneider published an advisory that describes a path traversal vulnerability in their EcoStruxure Foxboro SCADA FoxRTU Station.

Schneider Advisory #4 - Schneider published an advisory that describes a cross-site scripting vulnerability in their Modicon Controllers.

SEL Advisory - SEL published a new version notice for their SEL-5052 Server Software that includes descriptions of cybersecurity fixes.

VMware Advisory #1 - Broadcom published an advisory that describes an SQL injection vulnerability in the VMware Aria Automation product.

VMware Advisories #2 thru #7 - Broadcom re-published six VMware advisories in the Broadcom format.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-c55 - subscription required.

Review – Public ICS Disclosures – Week of 5-13-23

This week we have 19 vendor disclosures from ABB, Broadcom (6), Flexera, Helmholz, HPE (3), MB Connect, OPC Foundation, SICK, TandD, Western Digital, WAGO, and Zyxel. There are also two updates from BD and HPE. Finally, we have two exploits for products from Ivanti and Siemens.

Advisories

ABB Advisory - ABB published an advisory that describes two vulnerabilities in their Terra AC wallbox.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an out-of-bounds read vulnerability in their Brocade Directors, Brocade Fabric OS, and Brocade Switches.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an SQL injection vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link.

Broadcom Advisory #3 - Broadcom published an advisory that discusses an incorrect permission assignment for critical resource vulnerability in their Brocade SANnav.

Broadcom Advisory #4 - Broadcom published an advisory that discusses an SQL injection vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link.

Broadcom Advisory #5 - Broadcom published an advisory that discusses an SQL injection vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link.

Broadcom Advisory #6 - Broadcom published an advisory that discusses an abuse of service location protocol vulnerability in their Brocade Fabric OS, Brocade SANnav, Brocade Support Link.

Flexera Advisory - Flexera published an advisory that discusses four vulnerabilities in their FlexNet Publisher.

Helmholz Advisory - CERT-VDE published an advisory that discusses two unnamed vulnerabilities in their myREX24 and myREX24.virtual products.

HPE Advisory #1 - HPE published an advisory that discusses four vulnerabilities in their HP-UX products.

HPE Advisory #2 - HPE published an advisory that discusses two vulnerabilities in their Edgeline servers.

HPE Advisory #3 - HPE published an advisory that discusses 11 vulnerabilities in their Cray EX235a Accelerator Blade.

MB Connect Advisory – MB Connect published an advisory that describes an incorrectly implemented object cache vulnerability in their mbCONNECT24 and mymbCONNECT24 products.

OPC Foundation - The OPC Foundation published an advisory that describes an uncontrolled resource consumption vulnerability in their OPC UA Legacy Java Stack.

SICK Advisory - The SICK product security page lists a new advisory for “Vulnerabilities in SICK FTMg”.

TandD Advisory - TandD published an advisory that describes four vulnerabilities in four end-of-life TandD products.

Western Digital Advisory - Western Digital published an advisory that describes four vulnerabilities in their My Cloud OS 5 Firmware.

WAGO Advisory - CERT-VDE published an advisory that describes an OS command injection vulnerability in multiple products from WAGO.

Zyxel Advisory #1 - Zyxel published an advisory that describes four vulnerabilities in their NBG-418N v2 router.

Zyxel Advisory #2 - Zyxel published an advisory that describes a command injection vulnerability in their NBG6604 router.

Updates

BD Update - BD published an update for their BD Totalys™ MultiProcessor that was originally published on October 4^th, 2022.

HPE Update - HPE published an update for their PE Servers using certain Intel Chipset Firmware advisory that was originally published on February 8^th, 2022 an most recently updated on March 3^rd, 2022.

Exploits

Ivanti Exploit - Shelby Pace, Piotr Bazydlo published a Metasploit module for an unrestricted upload of file with dangerous type vulnerability in the Ivanti Avalanche.

Siemens Exploit - RoseSecurity published an exploit for a cross-site request forgery vulnerability in the SIMATIC S7-1200 CPU.

 

For more details on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-978 - subscription required.

Review – Public ICS Disclosures – Week of 4-29-23

This week we have 23 vendor disclosures from Broadcom (6), FortiGuard Labs (9), HMS, Honeywell, HP, Insyde (2), OPC Foundation (2), and Philips. We have five researcher reports for vulnerabilities in products from Sante. Finally, we have an exploit report for products from FortiGuard.

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses a cleartext transmission of sensitive information vulnerabilities in multiple Brocade products.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an HTTP request/response smuggling vulnerability in multiple Brocade products.

Broadcom Advisory #3 - Broadcom published an advisory that discusses an allocation of resources without limit or throttling vulnerability in multiple Brocade products.

Broadcom Advisory #4 - Broadcom published an advisory that discusses a data processing error vulnerability in multiple Brocade products.

Broadcom Advisory #5 - Broadcom published an advisory that discusses a deserialization of untrusted data vulnerability in multiple Brocade products.

Broadcom Advisory #6 - Broadcom published an advisory that discusses a deserialization of untrusted data vulnerability in multiple Brocade products.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an out-of-bounds write vulnerability in their FortiOS and FortiProxy products.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes an open redirect vulnerability in their FortiNAC product.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes a use of hard-coded credentials vulnerability in their FortiNAC product.

FortiGuard Advisory #4 - FortiGuard published an advisory that describes an insufficiently protected credentials vulnerability in their FortiNAC.

FortiGuard Advisory #5 - FortiGuard published an advisory that describes a weak authentication vulnerability in their FortiNAC product.

FortiGuard Advisory #6 - FortiGuard published an advisory that describes a cross-site scripting vulnerability in their FortiNAC product.

FortiGuard Advisory #7 - FortiGuard published an advisory that describes a weak cryptographic algorithm vulnerability in their FortiNAC product.

FortiGuard Advisory #8 - FortiGuard published an advisory that describes a path traversal vulnerability in their FortiADC product.

FortiGuard Advisory #9 - FortiGuard published an advisory that describes an OS command injection vulnerability in their FortiADC product.

HMS Advisory - HMS published an advisory that discusses an authentication bypass by capture replay vulnerability in their Anybus Wireless Bridge II/Bolt.

Honeywell Advisory - Honeywell published an end-of-life notice for multiple products.

HP Advisory -HP published an advisory that discusses eleven vulnerabilities in multiple HP products.

Insyde Advisory #1 - Insyde published an advisory that describes an out-of-bounds read vulnerability in their InsydeCrPkg.

Insyde Advisory #2 - Insyde published an advisory that describes an inadequate input validation vulnerability in multiple Intel mobile platforms.

OPC Foundation Advisory #1 - The OPC Foundation published an advisory that describes an improperly controlled sequential memory allocation vulnerability in their OPC UA .NET Standard Reference Server.

OPC Foundation Advisory #2 - The OPC Foundation published an advisory that describes a generation of error message that contains sensitive information vulnerability in their OPC UA .NET Standard Reference Server.

Philips Advisory - Philips published an advisory that discusses the Windows WinVerifyTrust Signature Validation Vulnerability.

Researcher Reports

Sante Reports - The Zero Day Initiative published reports for five vulnerabilities in the Sante DICOM Viewer Pro.

Exploits

FortiGuard Exploit - Code16 published an exploit for an unspecified vulnerability in FortiGate-VM64.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-837 - subscription required.

Review – Public ICS Disclosures – Week of 11-12-22

This week we have two new OpenSSL 3.0 vendor disclosures from Eurotech, Ruckus Wireless. There are 24 other vendor disclosures from ABB, BD (2), Genetec, Hitachi Energy (2), HPE (2), Inductive Automation, Insyde (8), Mitsubishi, Moxa, OPC Foundation, Phoenix Contact, Sick (2), and Siemens Healthineers. There are three vendor updates from HPE, Mitsubishi (2), Palo Alto Networks. Finally, we have an exploit for products from Siemens.

OpenSSL 3.0 Vendor Disclosures

Eurotech published an OpenSSL 3.0 advisory. Eurotech reports that none of their products are affected.

Ruckus Wireless published an OpenSSL 3.0 advisory. Ruckus reports that none of their products are affected.

Vendor Disclosures

ABB Advisory - ABB published an advisory that describes a clear-text storage of credentials vulnerability in their PCM600 tool.

BD Advisory #1 - BD published an advisory that discusses an authentication bypass vulnerability with known exploit in their Kiestra products.

BD Advisory #2 - BD published a Third-Party Software Component End of Support notice for their Alaris products (products available in US are not affected).

Genetec published an advisory that discusses an improper authentication vulnerability in their Sipelia and Mission Control products (and various plugins).

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a clear-text storage of credentials vulnerability in their IED Connectivity Packages (IED ConnPacks) and PCM600 Products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes an input validation vulnerability in their MicroSCADA Pro/X SYS600 products.

HPE Advisory #1 - HPE published an advisory that describes an unauthorized access vulnerability in their NetBatch-Plus software.

HPE Advisory #2 - HPE published an advisory that describes an authentication bypass vulnerability in their OfficeConnect network switches.

Inductive Automation Advisory - Inductive Automation published an advisory that discusses the Text4Shell vulnerability.

Insyde Advisory #1 - Insyde published an advisory that describes an untrusted pointer vulnerability in their UsbCoreDxe file.

Insyde Advisory #2 - Insyde published an advisory that describes an untrusted input vulnerability in their AhciBusDxe file.

Insyde Advisory #3 - Insyde published an advisory that describes an incorrect pointer check vulnerability in their FwBlockServiceSmm driver.

Insyde Advisory #4 - Insyde published an advisory that describes an incorrect pointer check vulnerability in their NvmExpressDxe driver.

Insyde Advisory #5 - Insyde published an advisory that describes an untrusted pointer vulnerability in their SdHostDriver and SdMmcDevice.

Insyde Advisory #6 - Insyde published an advisory that describes a race condition vulnerability in their UsbCoreDxe.

Insyde Advisory #7 - Insyde published an advisory that describes an initialization function vulnerability in their PnpSmm file.

Insyde Advisory #8 - Insyde published an advisory that describes an input address manipulation vulnerability in their PnpSmm function 0x52 file.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses a denial-of-service vulnerability in multiple consumer products.

Moxa Advisory - Moxa published an advisory that describes an improper authentication vulnerability in their NE-4100T Series.

OPC Foundation Advisory - The OPC Foundation published an advisory that describes a privilege escalation advisory in their local discovery server.

Phoenix Contact Advisory - Phoenix Contact published an advisory that describes a denial-of-service vulnerability in their FL MGUARD and TC MGUARD devices.

Sick Advisory #1 - Sick published an advisory that describes an improper authorization vulnerability in their FlexiCompact products.

Sick Advisory #2 - Sick published an advisory that describes six missing authentication for critical function vulnerabilities in their SIM products.

Siemens Healthineers - Siemens published an advisory that describes seven vulnerabilities in their syngo Dynamics servers.

Vendor Updates

HPE Update - HPE published an update for their B-series SAN Switches advisory that was originally published on November 11^th, 2022.

Mitsubishi Update #1 - Mitsubishi published an update for their Multiple FA Engineering Software Products advisory that was originally published on July 30^th, 2020 and most recently updated on July 28^th, 2022.

Mitsubishi Update #2 - Mitsubishi published an update for their Multiple FA Engineering Software Products advisory that was originally published on February 18^th, 2021 and most recently updated on July 28^th, 2021.

Palo Alto Networks Update - Palo Alto Networks published an update for their Cortex XSOAR advisory that was originally published on November 9^th, 2022.

Exploits

Siemens Exploit - Mr me published an Metasploit module for a remote code execution vulnerability in the VMware NSX Manager XStream.

For more information on these disclosures, including links to researcher reports, 3^rd party advisories, exploits, and one Russian commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-f60 - subscription required.

Review – Public ICS Disclosures – Week of 7-30-22

This week we have eleven vendor disclosures from Belden, Bosch, DrayTek, HPE, Meinberg, Mitsubishi, OPC Foundation, PulseSecure, Software Toolbox (2), and VMware. There are also two updates from Belden and HP.

 

Belden Advisory - Belden published an advisory that describes a denial of service vulnerability in their Hirschmann EagleSDV.

Bosch Advisory - Bosch published an advisory that describes two vulnerabilities in the their BF-OS. Bosch

DrayTek Advisory - DrayTek published an advisory that describes a remote code execution vulnerability in their Vigor Routers.

NOTE: The DrayTek advisory includes an actual link to the Trellix report. That is full disclosure.

HPE Advisory - HPE published an advisory that discusses a directory traversal vulnerability in their B-series Fibre Channel SAN Switch.

Meinberg Advisory - Meinberg published an advisory that discusses fifteen vulnerabilities (13 with available exploits) in their LANTIME firmware.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses two vulnerabilities in their GT SoftGOT2000.

NOTE: The Mitsubishi advisory notes that these vulnerabilities affect “multiple FA products”, but only one product is currently listed. We may see additional products added in future updates.

OPC Foundation - The OPC Foundation published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their OPC UA .NET Standard Reference Server.

PulseSecure Advisory - PulseSecure published an advisory that discusses an OS command injection vulnerability.

Software Toolbox Advisory #1 - Software Toolbox published an advisory that discusses the DICOM hardening vulnerability in their OPC Quick Client.

Software Toolbox Advisory #2 - Software Toolbox published an advisory that discusses the DICOM hardening vulnerability in their Top Server.

VMware Advisory - VMware published an advisory that describes ten vulnerabilities (with one known exploit) in multiple products.

Belden Update - Belden published an update for their FragAttacks advisory that was originally published on March 14^th, 2022.

HP Update - HP published an update for their Wireless Bluetooth advisory that was originally published on February 8th, 2022 and most recently updated on June 13^th, 2022.

 

For more details on these disclosures, including links to 3^rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-ec0 - subscription required.

Review – Public ICS Disclosures – Week of 7-9-22 – Part 2

For part two we start with five vendor disclosures from Inductive Automation, and Schneider Electric (4). We also have thirteen vendor updates from Fanuc, HPE (2), OPC Foundation, Schneider (6), and Siemens (3). Finally, we have one researcher report on products from Festo.

Inductive Automation Advisory - Inductive Automation published a blog post on five vulnerabilities in their Ignition control server that were discovered during the Pwn-to-Own competition at the recent S4x22 conference.

Schneider Advisory #1 - Schneider published an advisory that describes seven vulnerabilities in their OPC UA and X80 Advanced RTU Modicon communications modules.

Schneider Advisory #2 - Schneider published an advisory that describes an OS command injection vulnerability in their SpaceLogic C-Bus Home Controller.

Schneider Advisory #3 - Schneider published an advisory that describes an improper privilege management vulnerability in their Acti9 PowerTag Link C product.

Schneider Advisory #4 - Schneider published an advisory that describes three vulnerabilities in their Easergy P5 product line.

Fanuc Update - Fanuc published an update for their ROBOGUIDE advisory that was originally published on April 8^th, 2022 and most recently updated on April 27^th, 2022.

HPE Update #1 - HPE published an update for their ProLiant BL/DL/ML/XL/MicroServer advisory that was originally published on June 14^th, 2022.

HPE Update #2 - HPE published an update for their ProLiant BL/DL/ML/XL/MicroServer advisory that was  originally published on May 10^th, 2022 and most recently updated on June 22^nd, 2022.

OPC Foundation Update - The OPC Foundation published an update for their OPC UA .NET Standard Stack advisory that was originally published on May 1^st, 2022.

Schneider Update #1 - Schneider published an update for their CODESYS V3 Runtime advisory that was originally published on January 11^th, 2022 and most recently updated on April 12^th, 2022.

Schneider Update #2 - Schneider published an update for their APC Smart-UPS advisory that was originally published on March 8^th, 2022 and most recently updated on June 14^th, 2022.

Schneider Update #3 - Schneider published an update for their IGSS advisory that was originally published on April 12^th, 2022

Schneider Update #4 - Schneider published an update for their ATT Labs Compressor advisory that was originally published on August 10^th, 2021 and most recently updated on April 12^th, 2022.

Schneider Update #5 - Schneider published an update for their EcoStruxure advisory that was originally published on July 13^th, 2021 and most recently updated on April 12^th, 2022.

Schneider Update #6 - Schneider published an update for their EcoStruxureTM Control Expert advisory that was originally published on September 14^th, 2021, and most recently updated on March 8^th, 2022.

Siemens Update #1 - Siemens published an update for their GNU/Linux advisory that was  originally published in 2018 and most recently updated on June 14^th, 2022.

Siemens Update #2 - Siemens published an update for their Insyde Bios advisory that was originally published on February 22^nd, 2022 and most recently updated on March 8^th, 2022.

Siemens Update #3 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on June 14^th 2022.

Festo Report - OneKey published a report discussing four vulnerabilities in the FESTO Controller CECC-X-M1.

 

For more details on these disclosures, including brief description of update changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-094  - subscription required.

Review – Public ICS Disclosures – Week of 5-14-22

This week we have sixteen vendor disclosures from Aruba, Fujitsu, HPE (6), Moxa, OPC Foundation, Pepperl+Fuchs, Philips, Sick, Siemens, Tanzu (2). Then we have two vendor updates from Aruba and Johnson Controls. Finally, we have four researcher reports for products from Schneider, Spectrum Brands, Tesla, and Galleon.

Aruba Advisory - Aruba published an advisory that discusses five vulnerabilities in multiple Aruba products.

Fujitsu Advisory - JP-CERT published an advisory that discusses two vulnerabilities in the Fujitsu IPCOM products.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities in their Edgeline Servers.

HPE Advisory #2 - HPE published an advisory that discusses an information disclosure vulnerability in their Moonshot/Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses an information disclosure vulnerability in their Moonshot/Edgeline Servers.

HPE Advisory #4 - HPE published an advisory that discusses six vulnerabilities in their HP-UX OpenSSL products.

HPE Advisory #5 - HPE published an advisory that describes three vulnerabilities in their OneView product.

HPE Advisory #6 - HPE published an advisory that discusses 14 vulnerabilities in their ProLiant Gen10 and Gen10 Plus Servers.

Moxa Advisory - Moxa published an advisory that discusses a heap-based buffer overflow vulnerability in the Linux IPsec ESP transformation code.

OPC Advisory - The OPC Foundation published an advisory that describes an uncontrolled resource exhaustion vulnerability in their UA Legacy Java Stack.

NOTE: I believe that this vulnerability was one of the ones reported in the Pwn2Own Miami 2022 competition that I briefly mentioned last week.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses six Bluetooth vulnerabilities in the Pepperl+Fuchs RSM-EX01B product family.

Philips Advisory - Philips published an advisory that discusses the CISA Emergency Directive 22-03 for the mitigation of VMware vulnerabilities.

Sick Advisory - Sick published an advisory that describes a deserialization of untrusted data vulnerability in their Flexi Soft Designer & Safety Designer.

Siemens Report - Siemens published a report discussing a published exploit of their S7-1200 4.5 that was published back in March.

Tanzu Advisory #1 - Tanzu published an advisory that describes an integer overflow vulnerability in their Spring Security product.

Tanzu Advisory #2 - Tanzu published an advisory that describes an authorization bypass vulnerability in their Spring Security product.

Aruba Update - Aruba published an update for their TLStorm 2.0 advisory that was originally published on May 3^rd, 2022.

Johnson Controls Update - Johnson Controls published an update for their SpringShell advisory that was that was originally published on April 19^th, 2022 and most recently updated on April 29^th, 2022.

Schneider Report #1 - Kaspersky published a report that describes an authentication bypass by spoofing vulnerability in the Schneider Electric Modicon M340/M580 controllers.

Schneider Report #2 - Kaspersky published a report that describes an information leak from project files vulnerability in the Schneider Electric EcoStruxure Control Expert / Process Expert, and SCADAPack RemoteConnect products.

Spectrum Brands Report - NCC Group published a report describing a BLE relay vulnerability in the Kwikset/Weiser Kevo smart locks.

Tesla Report - NCC Group published a report describing a BLE relay vulnerability in the Tesla automobile.

Galleon Report - Pen Test Partners published a report describing a command injection vulnerability in the Galleon Systems’ GPS NTP time server.

For more details on these disclosures, including links to researcher reports and third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-581 - subscription required.

Three Advisories Published – 06-04-19

Today the DHS NCCIC-ICS published thee control system security advisories for products from Geutebruck and Phoenix Contact (2).

Geutebruck Advisory

This advisory describes three vulnerabilities in the Geutebruck Encoder and E2 Series Cameras. The vulnerabilities were reported by Romain Luyer and Guillaume Gronnier from CEIS, and Davy Douhine from RandoriSec. Geutebruck reports that the latest version of the firmware mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2019-10957; and

• OS command injection (2) - CVE-2019-10956 and CVE-2019-10958

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution as root and remote code execution in the browser of the IP camera operator.

FL NAT Advisory

This advisory describes an improper access control vulnerability in the Phoenix Contact FL NAT SMx industrial Ethernet switches. The vulnerability was reported by Maxim Rupp via CERT VDE. Phoenix Contact has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow unauthorized users full access to the device configuration.

PLCNext Advisory

This advisory describes four vulnerabilities in the Phoenix Contact PLCNext AXC F 2152 products. The vulnerabilities were reported by Zahra Khani of Firmalyzer and the OPC Foundation. Phoenix Contact reports that later versions of the firmware mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Key management errors - CVE-2018-7559;

• Improper access control - CVE-2019-10998;

• Man-in-the-middle - CVE-2019-10997; and

• Using components with known vulnerabilities

NOTE: the CERT VDE advisory lists 43 separate Linux vulnerability CVE’s for the fourth vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to decrypt passwords, bypass authentication, and deny service to the device. In addition, these vulnerabilities could interact with third-party vulnerabilities to cause other impacts to integrity, confidentiality, and availability.