Review – Public ICS Disclosures – Week of 6-11-22 – Part 1

This is another busy second-Tuesday disclosure week. For Part 1 we have 23 vendor disclosures from ABB, AUMA, Genetec, Hitachi Energy, HP (2), HPE (6), OPC UA (5), PROSYS OPC, QNAP, Tanzu, TI, and VMware (2).

ABB Advisory - ABB published an advisory that describes five privilege escalation vulnerabilities in their Automation Builder, Drive Composer and Mint WorkBench products.

AUMA Advisory - CERT-VDE published an advisory that discusses a classic buffer overflow vulnerability in the AUMA SIMA² Master Station.

Genetec Advisory - Genetec published an advisory that discusses the recently reported vulnerabilities in HID Mercury controllers.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses an insecure method vulnerability in their PROMOD IV product.

HP Advisory #1 - HP published an advisory that discusses four information disclosure vulnerabilities in multiple HP products.

HP Advisory #2 - HP published an advisory that discusses an improper input validation vulnerability in multiple notebook products.

HPE Advisory #1 - HPE published an advisory that discusses four information disclosure vulnerabilities in their Synergy Servers.

HPE Advisory #2 - HPE published an advisory that discusses four information disclosure vulnerabilities in their Storage Products.

HPE Advisory #3 - HPE published an advisory that discusses four information disclosure vulnerabilities in their ProLiant DX Servers.

HPE Advisory #4 - HPE published an advisory that discusses four information disclosure vulnerabilities in their Moonshot/Edgeline Servers.

HPE Advisory #5 - HPE published an advisory that discusses four information disclosure vulnerabilities in their Superdome Flex Servers.

HPE Advisory #6 - HPE published an advisory that discusses four information disclosure vulnerabilities in their ProLiant BL/DL/ML/XL/MicroServer and Apollo Servers.

OPC UA Advisory #1 - OPC UA published an advisory that describes an uncontrolled resource consumption vulnerability in their .NET Standard Stack.

OPC UA Advisory #2 - OPC UA published an advisory that describes an incorrect implementation of authentication algorithm vulnerability in their .NET Standard Stack.

OPC UA Advisory #3 - OPC UA published an advisory that describes an uncontrolled resource consumption vulnerability in their .NET Standard Stack.

OPC UA Advisory #4 - OPC UA published an advisory that describes a memory allocation with excessive size value vulnerability in their .NET Standard Stack.

OPC UA Advisory #5 - OPC UA published an advisory that describes an infinite loop vulnerability in their .NET Standard Stack.

PROSYS OPC Advisory - PROSYS published an advisory that discusses a security feature bypass vulnerability (with publicly available exploit) in their OPC products.

QNAP Advisory - QNAP published an advisory that discusses a ransomware campaign that appears to target QNAP NAS devices running outdated versions of QTS 4.x.

Tanzu Advisory - Tanzu published an advisory that describes a denial of service vulnerability in their Spring Cloud product.

TI Advisory - TI published an advisory that describes missing ECC input validations on CC1310 and CC1350 devices.

VMware Advisory #1 - VMware published an advisory that describes an information disclosure vulnerability in their HCX product.

VMware Advisory #2 – VMware published an advisory that discusses four information disclosure vulnerabilities in their ESXi product.

For more details about these disclosures, including links to researcher reports, 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-446 - subscription required.

Public ICS Disclosures – Week of 5-8-21, Part 1

This is a busier week than normal, even for a ‘Second Tuesday’ week. We have three vendor notifications for the FragAttacks WiFi vulnerabilities from Aruba, Ruckus, and Texas Instruments. We have two vendor notifications for the two OPC UA vulnerabilities reported this week by NCCIC-ICS from Beckhoff, Belden. We also have twelve other vendor notifications from Braun, SITEL (4), PEPPERL+FUCHS, CODESYS (3), Dell, and PulseSecure (2).

There will be a similarly lengthy list in Part 2 tomorrow.

FragAttacks Advisories

Aruba published an advisory discussing the FragAttacks vulnerabilities. Aruba provides a list of affected products and has new versions that mitigate the vulnerabilities.

Ruckus published an advisory discussing the FragAttacks vulnerabilities. Ruckus provides a list of affected products and has updates that mitigate the vulnerabilities.

TI published an advisory discussing the FragAttacks vulnerabilities. TI provides a list of affected products and has new versions that mitigate the vulnerabilities.

OPC UA Advisories

Beckhoff published an advisory discussing the OPC UA advisories. Beckhoff provides a list of affected products and has new versions that mitigate the vulnerabilities.

Belden published an advisory discussing the OPC UA advisories. Belden provides a list of affected products and has new versions that mitigate the vulnerabilities.

Braun Advisory

Braun published an advisory describing four vulnerabilities in a number of their products. The vulnerabilities were reported by McAfee Advanced Threat Research. Braun has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Insufficient verification of data authenticity,

• Missing authentication for critical function,

• Clear-text transmission of sensitive information, and

• Unrestricted upload of file with dangerous type.

SITEL Advisories

Incibe-Cert published an advisory describing a hard-coded credentials vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing a clear-text transmission of sensitive information vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Incibe-Cert published an advisory describing an uncontrolled resource consumption vulnerability in the SITEL CAP/PRX products. The vulnerability was reported by S21sec. SITEL has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

PEPPERL+FUCHS Advisory

CERT-VDE published an advisory describing four vulnerabilities in the PEPPERL+FUCHS ICE1 Ethernet IO Modules. These are third-party (Hilscher) vulnerabilities. PEPPERL+FUCHS has provided generic mitigation measures.

The four reported vulnerabilities are:

• Out-of-bounds write (2) - CVE-2021-20987 and CVE-2021-20986,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-20988, and

• Exposure of sensitive information to an unauthorized actor - CVE-2019-18222 (Mbed TLS)

CODESYS Advisories

CODESYS published an advisory describing three vulnerabilities in their CODESYS V2 runtime systems. The vulnerabilities were reported by Yossi Reuven of SCADAfence and Sergey Fedonin and Denis Goryushev of Positive Technologies. CODESYS has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow - CVE-2021-30188, and

• Improper input validation - CVE-2021-30195

CODESYS published an advisory describing six vulnerabilities in their V2 web server. The vulnerabilities were reported by Vyacheslav Moskvin, Sergey Fedonin and Anton Dorfman of Positive

Technologies. CODESYS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2021-30189,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193, and

• Out-of-bounds read - CVE-2021-30194

CODESYS published an advisory describing an improper neutralization of special elements used in an OS command vulnerability in their CODESYS V2 Runtime Toolkit 32. This is a Linux implementation vulnerability. The vulnerability was reported by van Kurnakov and Sergey Fedonin of Positive Technologies. CODESYS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Dell Advisory

Dell published an advisory describing an improper authorization vulnerability in their Dell Wyse Windows Embedded System. The vulnerability was reported by Alessandro Baldini and Alessio D'Anastasio. Dell has updates that mitigate the vulnerability.

PulseSecure Advisories

PulseSecure published an advisory describing an HTTP request smuggling vulnerability in their Virtual Traffic Manager (vTM). The vulnerability was reported by James Kettle from PortSwigger Web Security.  PulseSecure has new versions that mitigate the vulnerability. There is no indication that Kettle has been provided an opportunity to verify the efficacy of the fix.

PulseSecure published an advisory describing a buffer overflow vulnerability in their Pulse Connect Secure. PulseSecure provides a work around pending development of a new version that will mitigate the vulnerability.