Review – Public ICS Disclosures – Week of 5-10-25 – Part 2

This week for Part 2 we have additional 29 vendor disclosures from Mitsubishi, NI, Palo Alto Networks (11), Panasonic, Pheonix Contact, Rockwell Automation, SEL (3), Schneider (4), Siemens, Supermicro, VMware (2), WatchGuard (2). Part 3 should be published on Tuesday.

Advisories

Mitsubishi Advisory - Mitsubishi published an advisory that describes an execution with unnecessary privilege vulnerability in their  GENESIS64 and MC Works64 products.

NI Advisory - NI published an advisory that describes five vulnerabilities in their Circuit Design Suite.

PAN Advisory #1 - PAN published an advisory that discusses 16 vulnerabilities in their Prisma Access Browser products.

PAN Advisory #2 - PAN published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in multiple Palo Alto Networks products.

PAN Advisory #3 - PAN published an advisory that describes an incorrect privilege assignment vulnerability in their MetaDefender Endpoint Security SDK product.

PAN Advisory #4 - PAN published an advisory that describes a missing authentication for critical function vulnerability in their Cortex XDR Broker VM product.

PAN Advisory #5 - PAN published an advisory that describes a cross-site scripting vulnerability in multiple Palo Alto Network products.

PAN Advisory #6 - PAN published an advisory that describes a code injection vulnerability in their Cortex XDR Broker VM product.

PAN Advisory #7 - PAN published an advisory that describes an incorrect privilege assignment vulnerability in their GlobalProtect products.

PAN Advisory #8 - PAN published an advisory that describes a clear-text transmission of sensitive information vulnerability in multiple Palo Alto Networks products.

PAN Advisory #9 - PAN published an advisory that describes an improper neutralization of a script in a web page vulnerability in their Cloud NFGW and PAN-OS products.

PAN Advisory #10 - PAN published an advisory that describes an insufficient session expiration vulnerability in their Prisma Cloud Compute Edition product.

PAN Advisory #11 - PAN published an advisory that discusses 14 vulnerabilities in their PAN-OS product.

Panasonic Advisory - JP-CERT published an advisory that describes a missing protection mechanism for alternate hardware interface vulnerability in the Panasonic IR Control Hub.

Pheonix Contact Advisory - Pheonix Contact published an advisory that describes an allocation of resources without limits or throtting vulnerability in their Bus coupler for Axioline F and Inline Remote-I/O-system.

Rockwell Advisory - Rockwell published an advisory that discusses an improper restriction of XML external entity reference vulnerability in their FactoryTalk Historian-ThingWorx Connection Server.

SEL Advisory #1 - SEL published a software update notice that addressed cybersecurity issues for their SEL-5056 Software-Defined Network Flow Controller product.

SEL Advisory #2 - SEL published a software update notice that addressed cybersecurity issues for their SEL-5030 acSELerator QuickSet Software.

SEL Advisory #3 - SEL published a software update notice that addressed cybersecurity issues for their Flow Controller product.

Schneider Advisory #1 - Schneider published an advisory that describes an externally controlled reference to resource in another sphere vulnerability in their Modicon Controllers.

Schneider Advisory #2 - Schneider published an advisory that discusses a classic buffer overflow vulnerability in two of their Wiser home automation products.

Schneider Advisory #3 - Schneider published an advisory that discusses a classic buffer overflow vulnerability in PrismaSeT Active, wireless panel server.

Schneider Advisory #4 - Schneider published an advisory that discusses a missing authentication for critical function vulnerability in their Galaxy VS, VL, and VXL products.

Siemens Advisory - Siemens published an advisory that discusses a missing encryption of sensitive data vulnerability in their Siveillance Video product.

Supermicro Advisory - Supermicro published an advisory that discusses five vulnerabilities (one with publicly available exploits) in 16 separate Supermicro product lines.

VMware Advisory #1 - Broadcom published an advisory that describes a cross-site scripting in the VMware Aria automation product.

VMware Advisory #2 - Broadcom published an advisory that describes a link following vulnerabilities in the VMware Tools product.

WatchGuard Advisory #1 - WatchGuard published an advisory that describes a cross-site scripting vulnerability in their Firebox product (Fireware OS).

WatchGuard Advisory #2 - WatchGuard published an advisory that describes a cross-site scripting vulnerability in their Firebox product (Fireware OS).

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-90e - subscription required.

Review – Public ICS Disclosures – Week of 4-5-25 – Part 2

For Part 2 this week we have 23 additional vendor disclosures from Panasonic, Philips (2), Schneider (2), Siemens (3), and Splunk (15).

Advisories

Panasonic Advisory - Panasonic published a release note that reports a fix for a missing protection mechanism for alternate hardware interface vulnerability in their Wi-Fi based IR Blaster.

Philips Advisory #1 - Philips published an advisory that describes three vulnerabilities in their Philips IntelliSpace Portal and Advanced Visualization Workspace products.

Philips Advisory #2 - Philips published an advisory that discusses a CrushFTP authentication bypass vulnerability.

Schneider Advisory #1 - Schneider published an advisory that describes two vulnerabilities ConneXium Network Manager software.

Schneider Advisory #2 - Schneider published an advisory that describes three vulnerabilities in their Trio Q Licensed Data Radios.

Siemens Advisory #1 - Siemens published an advisory that describes an observable response discrepancy vulnerability in their Mendix Runtime product.

Siemens Advisory #2 - Siemens published an advisory that describes a weak authentication vulnerability in their Industrial Edge Device Kit.

Siemens Advisory #3 - Siemens published an advisory that describes an uncontrolled resource consumption vulnerability in their ICMP service in Industrial Devices.

Splunk Advisory #1 - Splunk published an advisory that discusses three vulnerabilities (one with publicly available exploit code) in their Connect for Syslog product.

Splunk Advisory #2 - Splunk published an advisory that discusses an injection vulnerability in their SDK for JavaScript.

Splunk Advisory #3 - Splunk published an advisory that discusses multiple vulnerabilities in their Juniper SRX App. These are third-party (Libxml2) vulnerabilities.

Splunk Advisory #4 - Splunk published an advisory that discusses multiple vulnerabilities in their Microsoft SQL Server App.

Splunk Advisory #5 - Splunk published an advisory that discusses multiple vulnerabilities in their Microsoft Azure SQL App.

Splunk Advisory #6 - Splunk published an advisory that discusses multiple vulnerabilities in their Kafka App.

Splunk Advisory #7 - Splunk published an advisory that discusses multiple vulnerabilities in their Snowflake App.

Splunk Advisory #8 - Splunk published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their NetWitness Logs and Packets App.

Splunk Advisory #9 - Splunk published an advisory that discusses an insufficient verification of data authenticity vulnerability in their Symantec Endpoint Protection 14 App.

Splunk Advisory #10 - Splunk published an advisory that discusses multiple vulnerabilities (one with publicly available exploit) in their Symantec Data Loss Prevention App.

Splunk Advisory #11 - Splunk published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their ProtectWise App.

Splunk Advisory #12 - Splunk published an advisory that discusses multiple vulnerabilities (one with publicly available exploit) in their PostgreSQL App.

Splunk Advisory #13 - Splunk published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their PagerDuty App.

Splunk Advisory #14 - Splunk published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their FireAMP App.

Splunk Advisory #15 - Splunk published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their Fidelis Network App.

 

For more information on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-dd3 - subscription required.

Review – Public ICS Disclosures – Week of 8-24-24

This week we have 21 vendor advisories from Beckhoff (4), B&R, Dassault Systèmes (4), Elecom (2), Hitachi, Hitachi Energy, HP (2), Meinberg, Panasonic, TRUMPF (2), and Wireshark. There are also eight vendor updates from B&R, Dell, Elecom (5), and Moxa. Finally, we have five exploits for products from Aruba and Elber (4).

Advisories

Beckhoff Advisory #1 - CERT-VDE published an advisory that describes a cross-site scripting vulnerability in the Beckhoff TwinCAT/BSD-based products.

Beckhoff Advisory #2 - CERT-VDE published an advisory that describes an authentication bypass by alternate path or channel vulnerability in the Beckhoff TwinCAT/BSD-based products.

Beckhoff Advisory #3 - CERT-VDE published an advisory that describes a classic buffer overflow vulnerability in the Beckhoff TwinCAT/BSD-based products.

Beckhoff Advisory #4 - CERT-VDE published an advisory that describes an allocation of resources without limit or throttling vulnerability in the Beckhoff TwinCAT/BSD-based products.

B&R Advisory - B&R published an advisory that describes three vulnerabilities in their  APROL condition monitoring software.

Dassault Systèmes  Advisory #1 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Systèmes  Advisory #2 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DSwym in 3DSwymer.

Dassault Systèmes  Advisory #3 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DDashboard in 3DSwymer.

Dassault Systèmes  Advisory #4 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DDashboard in 3DSwymer.

Elecom Advisory #1 - JP-CERT published an advisory that describes four vulnerabilities in the Elecom wireless LAN routers and access points.

Elecom Advisory #2 - JP-CERT published an advisory that describes three vulnerabilities in the Elecom wireless LAN routers.

Hitachi Advisory - Hitachi published an advisory that describes an authentication bypass vulnerability in their Ops Center Common Services product.

Hitachi Energy Advisory - Hitachi Energy published an advisory that describes an SQL injection vulnerability in their MicroSCADA X SYS600 product.

HP Advisory #1 - HP published an advisory that discusses two vulnerabilities in their Z4, Z6, and Z8 workstations.

HP Advisory #2 - HP published an advisory that discusses an incorrect default permissions vulnerability in their notebook PC’s.

Meinberg Advisory - Meinberg published an advisory that discusses three vulnerabilities (all with publicly available exploits) in their LANTIME product.

Panasonic Advisory - JP-CERT published an advisory that describes a stack-based buffer overflow vulnerability in the Panasonic Control FPWIN Pro7.

Trumpf Advisory #1 - CERT-VDE published an advisory that discusses the regreSSHion vulnerability.

Trumpf Advisory #2 - CERT-VDE published an advisory that discusses a use after free vulnerability (listed in the CISA Known Exploited Vulnerability Catalog) in the Trumpf TruControl laser control software products.

Wireshark Advisory - Wireshark published an advisory that describes an out-of-bounds read vulnerability in their NTLMSSP dissector.

Updates

B&R Updates - B&R published an update for their Automation Runtime advisory that was originally published on August 9^th, 2024.

Dell Update - Dell published an update for their Dell ThinOS advisory that was originally published on June 12^th, 2024, and most recently updated on July 19^th, 2024.

Elecom Update #1 - JP-CERT published an update for their ELECOM and LOGITEC network devices advisory that was originally published on August 10^th, 2024.

Elecom Update #2 - JP-CERT published an update for their wireless LAN routers advisory that was originally published on July 30^th, 2024.

Elecom Update #3 - JP-CERT published an update for their wireless LAN routers and wireless LAN repeater advisory that was originally published on March 26^th, 2024 and most recently updated on May 28^th, 2024.

Elecom Update #4 - JP-CERT published an update for their wireless LAN routers advisory that was originally published on March 26^th, 2024 and most recently updated on May 28^th, 2024.

Elecom Update #5 - JP-CERT published an update for their wireless LAN routers advisory that was originally published on May 28^th, 2024.

Moxa Update - Moxa published an update for their regreSSHion advisory that was originally published on August 2^nd, 2024, and most recently updated on August 9^th, 2024.

Exploits

Aruba Exploit - Hosein Vita published an exploit for a remote code execution vulnerability in the Aruba 501 CN12G5W0XX wireless access point.

Elber Exploit #1 - LiquidWorm published an exploit for an authentication bypass vulnerability in the Elber ESE DVB-S/S2 Satellite Receiver.

Elber Exploit #2 - LiquidWorm published an exploit for a device configuration vulnerability in the Elber ESE DVB-S/S2 Satellite Receiver.

Elber Exploit #3 - LiquidWorm published an exploit for an authentication bypass vulnerability in the Elber Wayber Analog/Digital Audio.

Elber Exploit #4 - LiquidWorm published an exploit for a device configuration vulnerability in the Elber Wayber Analog/Digital Audio.

 

For more information about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, as well as a brief summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-631 - subscription required.

Review – Public ICS Disclosures – Week of 8-17-24

This week we have eleven vendor disclosures from Bosch, Dassault Systèmes (3), HPE, Palo Alto Networks, Moxa, Panasonic, Rockwell, SonicWall, and Welotec. There are also three vendor updates from Cisco and HPE.

Advisories

Bosch Advisory - Boach published an advisory that describes a missing authentication vulnerability in their CPP13 and CPP14 IP cameras.

Dassault Systèmes Advisory #1 – Dassault Systèmes published an advisory that describes an open redirect vulnerability in their 3DSwymer product.

Dassault Systèmes Advisory #2 – Dassault Systèmes published an advisory that describes a reflected cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator product.

Dassault Systèmes Advisory #3 – Dassault Systèmes published an advisory that describes an open redirect vulnerability in their 3DSwymer product.

HPE Advisory - HPE published an advisory that discusses nine vulnerabilities in their HPE SimpliVity AMD Servers.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that discusses OpenSSL’s exposure of sensitive information to an unauthorized actor vulnerability.

Moxa Advisory - Moxa published an advisory that discusses the regreSSHion vulnerability. Moxa provides a list of the affected products.

Panasonic Advisory - Panasonic acknowledges a stack-based buffer overflow vulnerability in their Control FPWIN Pro product.

Rockwell Advisory - Rockwell published an advisory that describes three vulnerabilities in their ThinManager ThinServer product.

SonicWall Advisory - SonicWall published an advisory that describes an improper access control vulnerability in their SonicOS product.

Welotec Advisory - CERT-VDE published an advisory that discusses the regreSSHion vulnerability.

UPDATES

Cisco Update #1 - Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024 and most recently updated on August 2^nd, 2024.

Cisco Update #2 - Cisco published an update for their Blast-Radius advisory that was originally published on July 10^th, 2024, and most recently updated on August 9^th, 2024.

HPE Update - HPE published an update for their ProLiant DL/ML/XL, Synergy, MicroServer, and Edgeline Servers that was originally published on August 13^th, 2024.

 

For more information on these disclosures, including links to 3^rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-e17 - subscription required. 

Review – Public ICS Disclosures – Week of 4-20-24 – Part 2

For Part 2 we have nine additional vendor disclosures from Panasonic, QNAP (6), WatchGuard, and Welotec. We also have eight vendor updates from Broadcom (6), Mitsubishi, and Palo Alto Networks. There are four researcher reports for products from Mathieu Malaterre (3) and Offis. Finally, we have three exploits for products from FortiGuard and Palo Alto Networks (2).

Advisories

Panasonic Advisory - Panasonic published an advisory that describes an improper restriction of operations within the bounds of a memory buffer.

QNAP Advisory #1 - QNAP published an advisory that describes four vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #2 - QNAP published an advisory that discusses four vulnerabilities in their utility Proxy Server.

QNAP Advisory #3 - QNAP published an advisory that describes two vulnerabilities in their QuFirewall.

QNAP Advisory #4 - QNAP published an advisory that describes an integer overflow or wraparound vulnerability in their QTS, QuTS hero, and QuTScloud product.

QNAP Advisory #5 - QNAP published an advisory that describes an improper authentication vulnerability in their Media Streaming Add-on.

QNAP Advisory #6 - QNAP published an advisory that describes two path traversal vulnerabilities in their QTS, QuTS hero, and QuTScloud products.

WatchGuard Advisory - WatchGuard published an advisory that discusses the Diffie-Hellman Key Agreement Protocol Weaknesses.

Welotec Advisory - CERT-VDE published an advisory that describes an improper restriction of rendered UI layers or frames vulnerability in their SMART EMS and VPN Security Suite products.

Updates

Broadcom Update #1 - Broadcom published an update for their EZServer module advisory that was originally published on November 8^th, 2022.

Broadcom Update #2 - Broadcom published an update for their Identical SSH keys advisory that was originally published on April 10^th, 2024.

Broadcom Update #3 - Broadcom published an update for their Hardcoded TLS keys advisory that was originally published on April 11^th, 2024.

Broadcom Update #4 - Broadcom published an update for their SANnav OVA advisory that was originally published on April 11^th, 2024.

Broadcom Update #5 - Broadcom published an update for their Insecure file permission advisory that was originally published on April 11^th, 2024.

Broadcom Update #6 - Broadcom published an update for their Docker instances advisory that was originally published on April 11^th, 2024.

Mitsubishi Update - Mitsubishi published an update for their Microsoft Message Queuing advisory that was originally published on February 20^th, 2024.

Reports

Palo Alto Networks Update - Palo Alto Networks published an update for their Arbitrary File Creation advisory that was originally published on April 12^th, 2024 and most recently updated on April 20^th, 2024.

Offis Report - Cisco Talos published a report describing an incorrect type conversion or cast vulnerability in the Offis DCMTK, a collection of DICOM libraries.

Exploits

FortiGuard Exploit - Spencer McIntyre published a Metasploit module for an SQL injection vulnerability in the FortiClient EMS (this vulnerability is listed in CISA’s Known Exploit Vulnerability Catalog).

Palo Alto Networks Exploit #1 - Sfewer-r7 published a Metasploit module for a command injection vulnerability in the Palo Alto Networks PAN-OS (this vulnerability is listed in CISA’s KEV Catalog).

Palo Alto Networks Exploit #2 - Kr0ff published an exploit for a command injection vulnerability in the Palo Alto Networks PAN-OS (this vulnerability is listed in CISA’s KEV Catalog).

 

For more information about these disclosures, including links to 3rd party advisories and researcher reports, as well as summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-6e6 - subscription required.

Review – Public ICS Disclosures – Week of 9-23-23

This week we have 15 vendor disclosures from Belden, Hitachi (5), Hitachi Energy, HPE, Panasonic, Pilz, Rockwell (2), SEL, Synology, and VMware. There are three vendor updates from Broadcom.

Advisories

Belden Advisory - Belden published an advisory that discusses 14 vulnerabilities in a number of their Hirschmann products.

Hitachi Advisory #1 - Hitachi published an advisory that discusses an observable discrepancy vulnerability in their Command Suite and Configuration Manager products.

Hitachi Advisory #2 - Hitachi published an advisory that discusses an integer overflow or wraparound vulnerability in their Cosminexus HTTP Server.

Hitachi Advisory #3 - Hitachi published an advisory that discusses an integer overflow or wraparound vulnerability in their Cosminexus HTTP Server.

Hitachi Advisory #4 - Hitachi published an advisory that discusses an integer overflow or wraparound vulnerability in their Cosminexus HTTP Server.

Hitachi Advisory #5 - Hitachi published an advisory that discusses an allocation of resources without limit or throttling vulnerability in their Cosminexus HTTP Server.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses 14 vulnerabilities in their AFS65x, AFS67x, AFR67x and AFF66x series Products.

HPE Advisory - HPE published an advisory that describes two authentication bypass vulnerabilities in their OneView product.

Panasonic Advisory - JP-CERT published an advisory that describes two vulnerabilities in the Panasonic KW Watcher product.

Pilz Advisory - Pilz published an advisory that discusses five vulnerabilities in multiple Pilz products.

Rockwell Advisory #1 - Rockwell published an advisory that discusses five vulnerabilities (listed in CISA’s KEV) in their Connected Components Workbench.

Rockwell Advisory #2 - Rockwell published an advisory that describes an out-of-bounds write vulnerability in their Logix Communication Modules.

SEL Advisory - SEL published a software update for their Configuration API which addressed three cybersecurity vulnerabilities and included two cybersecurity enhancements.

Synology Advisory - Synology published an advisory that describes a security bypass vulnerability in their Synology Router Manager (SRM).

VMware Advisory - VMware published an advisory that describes a privilege escalation vulnerability in their Aria Operations product.

Wago Advisory - CERT-VDE published an advisory that describes two vulnerabilities in their Codemeter product.

Updates

Broadcom Update #1 - Broadcom published an update for their Apache HTTP Server advisory that was originally published on August 1^st, 2023.

Broadcom Update #2 - Broadcom published an update for their Apache HTTP Server advisory that was originally published on August 1^st, 2023.

Broadcom Update #3 - Broadcom published an update for their sctp_make_strreset_req function advisory that was originally published on August 1^st, 2023.

 

For more details on these disclosures, including links to researcher reports, 3^rd party advisories, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-e63 - subscription required. [added link to CFSN article, 23:15 EDT, 9-30-23]

Review – 3 Advisories and 1 Update Published – 7-11-23

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Panasonic, Sensormatic, and Rockwell Automation. They also published an update for an advisory from Mitsubishi Electric.

Articles

Panasonic Advisory - This advisory describes three vulnerabilities in the Panasonic Control FPWIN Pro7.

Johnson Controls Advisory - This advisory describes an improper access control vulnerability in the Johnson Controls ​iSTAR Ultra products.

Rockwell Advisory - This advisory describes a cross-site request forgery vulnerability in the Rockwell Enhanced HIM API.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on June 29^th, 2023.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-ed2 - subscription required.

Review – Public ICS Disclosures – Week of 7-1-23

This week we have eleven vendor disclosures from Aruba Networks, Bosch (2), Enphase, Frauscher Sensortechnik, Hikvision, Moxa, Softing (2), VMware and Zyxel. And we have 29 researcher reports for products from Panasonic (3), Milesight (25), and Siemens.

Advisories

Aruba Advisory - Aruba published an advisory that describes nine vulnerabilities in the Aruba OS products.

Bosch Advisory #1 - Bosch published an advisory that discusses two vulnerabilities in their FL MGUARD family devices.

Bosch Advisory #2 - Bosch published an advisory that discusses a missing authentication for critical function vulnerability in their SLC-0-GPNT00300 interface module.

Enphase Advisory - Enphase published an advisory that describes an OS command injection vulnerability in their Enphase IQ Gateway (Envoy).

Frauscher Advisory - CERT-VDE published an advisory that describes a path traversal vulnerability in the Frauscher Diagnostic System FDS001 for FAdC R1 and FAdCi R1.

Hikvision Advisory - Hikvision published an advisory that describes two vulnerabilities in their access control/intercom products.

Moxa Advisory - Moxa published an advisory that describes an observable response discrepancy vulnerability in their TN-5900 Series product.

Softing Advisory #1 - Softing published an advisory that describes two vulnerabilities in their OPC UA C++ SDK and Secure Integration Server.

Softing Advisory #2 - Softing published an advisory that describes an uncontrolled resource consumption vulnerability in a number of their products.

VMware Advisory - VMware published an advisory that describes an authentication bypass vulnerability in their SD-WAN (Edge) product.

Zyxel Advisory - Zyxel published an advisory that describes a classic buffer overflow vulnerability in their 4G LTE and 5G NR outdoor routers.

Researcher Reports

Panasonic Reports - AWESEC published three reports describing individual vulnerabilities in the Panasonic Panasonic AiSEG2.

Milesight Reports - Talos Intelligence published 25 reports (some with multiple vulnerabilities) for the Milesight UR32L urvpn_client and MilesightVPN server.

Siemens Report - SEC Consult published a report describing the four vulnerabilities in the Siemens A8000 product.

 

For more details about these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-bcb - subscription required.

Review – 11 Advisories and 1 Update Published – 1-12-23

Today, CISA’s NCCIC-ICS published eleven control system security advisories for products from Siemens (4), Johnson Controls, SAUTER Controls, Panasonic, InHand Networks, RONDS, Sewio, and Hitachi Energy. They also updated a medical device security advisory for products from Philips. Siemens published two other advisories on Tuesday that were not addressed by NCCIC-ICS, I will cover them this weekend.

NOTE: NCCIC-ICS added a notice to each of the four Siemens advisories published today that: “Beginning January 10, 2023, CISA will no longer be updating historical security advisories for Siemens product vulnerabilities. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).” This will result in a significant reduction in the workload for NCCIC-ICS in the week of Cybersecurity Tuesday.

Advisories

Siemens Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Siemens Mendix SAML Module.

Siemens Advisory #2 - This advisory describes a missing immutable root of trust in hardware vulnerability in the Siemens S7-1500 CPU product family.

Siemens Advisory #3 - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens Solid Edge product.

Siemens Advisory #4 - This advisory describes two vulnerabilities in the Siemens Automation License Manager (ALM).

Johnson Controls Advisory - This advisory describes an insufficiently protected credentials vulnerability in the Johnson Controls Metasys ADS/ADX/OAS Servers.

SAUTER Advisory - This advisory describes two vulnerabilities in the SAUTER Controls Nova 200–220 Series (PLC 6).

Panasonic Advisory - This advisory describes a cross-site request forgery vulnerability in versions of the Panasonic Sanyo CCTV Network Camera.

InHand Advisory - This advisory describes five vulnerabilities in the InHand InRouter302 and InRouter615.

RONDS Advisory - This advisory describes two vulnerabilities in the RONDS Equipment Predictive Maintenance (EPM) product.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Lumada Asset Performance Management product.

Updates

Philips Update - This update provides additional information on an advisory that was originally published on November 18^th, 2021.

 

For more details on these advisories, including links to researcher reports, exploits, and a discussion about problems with CVE numbers, see my article to CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/11-advisories-and-1-update-published-798 - subscription required.

6 Advisories Published – 1-5-21

Today the CISA NCCIC-ICS published six control system security advisories for products from Delta Electronics (2), Red Lion, GE, Panasonic and Schneider.

CNCSoft Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Delta CNCSoft ScreenEditor. The vulnerability was reported by Kimiya via the Zero Day Initiative. Delta has an update that mitigates the vulnerability. There is no indication that Kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

DOPSoft Advisory

This advisory describes two vulnerabilities in the Delta DOPSoft software. The vulnerability was reported by Kimiya via the Zero Day Initiative. Delta has an update that mitigates the vulnerability. There is no indication that Kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Out-of-bounds write - CVE-2020-27275, and

• Untrusted pointer dereference - CVE-2020-27277

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

Red Lion Advisory

This advisory describes three vulnerabilities in the Red Lion Crimson 3.1 programming software. The vulnerabilities were reported by Marco Balduzzi, Ryan Flores, Philippe Lin, Charles Perine, Ryan Flores, Rainer Vosseler via ZDI. Red Lion has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Null pointer dereference - CVE-2020-27279,

• Missing authentication for critical function - CVE-2020-27285, and

• Improper resource shutdown - CVE-2020-27283

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to create a denial-of-service condition, read and modify the database, and leak memory data.

GE Advisory

This advisory describes two vulnerabilities in the GE Reason RT43X Clocks. The vulnerabilities were reported by Tom Westenberg of Thales UK. GE has a new firmware version that mitigates the vulnerabilities. There is no indication that Westenberg has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Code injection - CVE-2020-25197, and

• Use of hard-coded cryptographic key - CVE-2020-25193

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an authenticated remote attacker to execute arbitrary code on the system or intercept and decrypt encrypted traffic.

NOTE: I (very) briefly mentioned the GE advisory for these vulnerabilities back in November.

Panasonic Advisory

This advisory describes an out-of-bounds read vulnerability in the Panasonic FPWIN Pro programming software. The vulnerability was reported by Francis Provencher via ZDI. Panasonic has a new version that mitigates the vulnerability. The is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to  allow remote code execution.

Schneider Advisory

This advisory describes three vulnerabilities in the Schneider Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy products. The vulnerabilities were reported (here and here) by Kai Wang of Fortinet's FortiGuard Labs. Schneider continues to work on mitigation measures for supported versions of the affected products.

The three reported vulnerabilities were:

• Out-of-bounds read - CVE-2020-7562,

• Out-of-bounds write - CVE-2020-7563, and

• Classic buffer overflow - CVE-2020-7564

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow write access and the execution of commands, which could result in data corruption or a web server crash.

NOTE: I briefly described these vulnerabilities back in November.

NCCIC-ICS Updates

NCCIC-ICS also published five updates today. I will cover them in a separate blog post.

Two Advisories Published – 06-06-19

This advisory describes two vulnerabilities in the Panasonic Control FPWIN Pro PLC programming software. The vulnerability was reported by kimiya of 9sg Security Team via the Zero Day Initiative. Panasonic has a new version that mitigates the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2019-6530; and

• Type Confusion - CVE-2019-6532

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device and allow remote code execution.

Optergy Advisory

This advisory describes eight vulnerabilities in the Optergy Proton/Enterprise Building Management System. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Optergy has a new version that mitigates the vulnerability. There is no indication that Krstic has been provided an opportunity to verity the efficacy of the fix.

The eight reported vulnerabilities are:

• Information exposure (2) - CVE-2019-7272 and CVE-2019-7277;

• Cross-site request forgery - CVE-2019-7273;

• Unrestricted upload of file with dangerous type - CVE-2019-7274;

• Open redirect - CVE-2019-7275;

• Hidden functionality - CVE-2019-7276

• Exposed dangerous method or function - CVE-2019-7278; and

• Use of hard-coded credentials - CVE-2019-7279

NOTE: I briefly reported on these vulnerabilities last month. Interestingly, the Applied Risk advisory describes six vulnerabilities but provided all eight of the above CVE’s.

ICS-CERT Publishes Panasonic Advisory

This morning the DHS ICS-CERT published an advisory for a number of vulnerabilities in the Panasonic FPWIN Pro application. The vulnerabilities were reported through ZDI by Steven Seeley. Panasonic has developed a new version of the software that mitigates the vulnerability. There is no indication that Seeley has been given the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Heap-based buffer overflow vulnerabilities - CVE-2016-4499;

• Access of uninitialized pointer - CVE-2016-4498;

• Out-of-bounds write - CVE-2016-4496; and

• Type confusion - CVE-2016-4497

ICS-CERT reports that a social engineering attack would be required to exploit these vulnerabilities.

NOTE: It has now been 11 days since Siemens announced that they had updated their advisory on frame padding in ROS devices. ICS-CERT has not yet updated their advisory on this vulnerability. The updated provides additional information about which products are affected by the vulnerability.