Review – Public ICS Disclosures – Week of 9-14-24

This week we have 16 vendor disclosures from CIRCUTOR, Dell, Dassault Systems (2), GE Vernova, Hitachi, HP (2), Moxa, Philips (3), SEL, Softing, Supermicro, and VMware. There are also two updates from HPE and Moxa. Finally, we also have six researcher reports for products from OpenPLC (3), Riello, and Supermicro (2).

Advisories

CIRCUTOR Advisory - Incibe-CERT published an advisory that describes six vulnerabilities in the CIRCUTOR Q-SMT and TCP2RS+ substation equipment.

Dell Advisory - Dell published an advisory that discusses seven vulnerabilities (three with publicly available exploits) in their ThinOS products.

Dassault Systems Advisory #1 - Dassault Systems published an advisory that describes a cross-site scripting vulnerability in their 3DEXPERIENCE product.

Dassault Systems Advisory #2 - Dassault Systems published an advisory that describes a cross-site scripting vulnerability in their 3DEXPERIENCE product.

GE Vernova Advisory - GE Vernova published an advisory that describes six vulnerabilities in their ControlST platform.

HPE Advisory #1 - HPE published an advisory that discusses five vulnerabilities in their StoreEasy Servers.

HPE Advisory #2 - HPE published an advisory that describes three vulnerabilities in their Aruba Networking Controller and Gateway-Based AOS.

Moxa Advisory - Moxa published an advisory that describes three vulnerabilities in their MXview One and MXview One Central Manager Series.

Philips Advisory #1 - Philips published an advisory that discusses the recent Fortinet breach.

Philips Advisory #2 - Philips published an advisory that discusses the recent VMware vulnerabilities.

Philips Advisory #3 - Philips published an advisory that discusses the recent Windows Update Downgrade Attack Advisory.

SEL Advisory - SEL published a version update notice for their SEL-5032 acSELerator Architect Software.

Softing Advisory - Softing published an advisory that describes a missing release of memory vulnerability in their uaToolkit Embedded and smartLink products.

Supermicro Advisory - Supermicro published an advisory that discusses two vulnerabilities in their Denverton platform.

VMware Advisory - VMware published an advisory that describes two vulnerabilities in their vCenter Server.

Updates

HPE Update - HPE published an update for their HPE ProLiant DL/ML/XL, Synergy, and Edgeline Servers advisory that was originally published on September 16^th, 2024.

Moxa Update - Moxa published an update for their  regreSSHion vulnerability advisory that was originally published on August 2^nd, 2024 and most recently updated on September 10^th, 2024.

Researcher Reports

OpenPLC Report #1 - Talos published a report that describes a stack-based buffer overflow vulnerability in the OpenPLC OpenPLC _v3.

OpenPLC Report #2 - Talos published a report that describes two out-of-bounds read vulnerabilities in the OpenPLC OpenPLC _v3.

OpenPLC Report #3 - Talos published a report that describes two incorrect type or cast vulnerabilities in the OpenPLC OpenPLC _v3.

Riello Report - CyberDanube published a report describing two vulnerabilities in the Riello Netman 204 network communications card.

Supermicro Report #1 - Binarly published a report that describes a use of hard-coded credentials vulnerability in the Supermicro BMC Firmware.

Supermicro Report #2 - Binarly published a report that describes an insecure RSA signing key used in multiple Supermicro servers.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-ed6 - subscription required.

Review – Public ICS Disclosures – Week of 7-20-24

This week we have two CrowdStrike outage advisories. We also have 18 other vendor advisories for products from Broadcom, Draeger, Hitachi, HPE (4), Meinberg, National Instruments (7), WithSecure (2), and Zyxel. We have three vendor updates from Cisco (2) and HP. There is also a researcher report for vulnerabilities in products from Perkin Elmer. Finally, we have an exploit for products from Softing.

CrowdStrike Outage

GE Vernova published an advisory that discussed the impact on some of their Monitoring & Diagnostics products.

Philips published an advisory that provides a list of potentially affected products.

Advisories

Broadcom Advisory - Broadcom published an advisory that discusses ten vulnerabilities in the Azul Zulu component of their Brocade SANnav product.

Draeger Advisory - Draeger published an advisory that discusses a deserialization of untrusted data vulnerability (listed in the CISA Known Exploited Vulnerability Catalog).

Hitachi Advisory - Hitachi published an advisory that discusses 27 vulnerabilities in their Disk Array Systems.

HPE Advisory #1 - HPE published an advisory that describes three vulnerabilities in their Aruba EdgeConnect SD-WAN Orchestrator.

HPE Advisory #2 - HPE published an advisory that discusses 21 vulnerabilities (6 with known exploits) in their Unified OSS Console Assurance Monitoring (UOCAM) product.

HPE Advisory #3 - HPE published an advisory that discusses seven vulnerabilities (one with known exploit) in their Aruba EdgeConnect SD-WAN Gateways.

HPE Advisory #4 - HPE published an advisory that discusses an out-of-bounds write vulnerability in their ProLiant DL/ML/SY/XL and Alletra Servers.

Meinberg Advisory - Meinberg published an advisory that discusses ten vulnerabilities (2 with known exploits) in their Lantime product.

National Instruments Advisory #1 - National Instruments published an advisory that describes two missing authorization vulnerabilities in their VeriStand Gateway product.

National Instruments Advisory #2 - National Instruments published an advisory that describes two deserialization of untrusted data vulnerabilities in their VeriStand product.

National Instruments Advisory #3 - National Instruments published an advisory that describes a path traversal vulnerability in their VeriStand product.

National Instruments Advisory #4 - National Instruments published an advisory that describes a deserialization of untrusted data vulnerability in their VeriStand Project File product.

National Instruments Advisory #5 - National Instruments published an advisory that describes an integer overflow or wraparound vulnerability in their TDMS Files in LabVIEW.

National Instruments Advisory #6 - National Instruments published an advisory that describes an incorrect default permissions vulnerability in their SystemLink Redis Service.

National Instruments Advisory #7 - National Instruments published an advisory that describes an out-of-date component with multiple vulnerabilities vulnerability in their SystemLink Server.

WithSecure Advisory #1 - WithSecure published an advisory that describes a denial of service vulnerability in their WithSecure Mac antivirus software.

WithSecure Advisory #2 - WithSecure published an advisory that describes a privilege escalation vulnerability in their WithSecure Mac Products.

Zyxel Advisory - Zyxel published an advisory that describes an improper privilege management vulnerability in their Zyxel AP products.

Updates

Cisco Update #1 - Cisco published an update for their Blast-Radius advisory that was originally published on July 10^th, and most recently updated on July 19^th, 2024.

Cisco Update #2 - Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024, and most recently updated on July 19^th, 2024.

HP Update - HP published an update for their Display Control Software advisory that was originally published on July 15^th, 2024.

Researcher Reports

Perkin Elmer Report - Cyber Danube published a report that describes three vulnerabilities in the Perkin Elmer ProcessPlus measurement software.

Exploits

Softing Exploit - Mr me published a Metasploit module for two vulnerabilities in the Softing Secure Integration Server.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-d58 - subscription required.

Review – Public ICS Disclosures – Week of 2-9-24 – Part 2

For Part 2 we have four additional vendor disclosures from Schneider, Softing, WAGO, and Western Digital. We also have 17 vendor updates from Dell, HP (5), and Siemens (11). There is a researcher report about vulnerabilities in products from FortiGuard. Finally, we have five exploits for products from FortiGuard, Hitachi, Honeywell, Solar View, and VMware.

Advisories

Schneider Advisory - Schneider published an advisory that describes three vulnerabilities in their Easergy T200 RTU product line.

Softing Advisory - Softing published an advisory that describes a missing release of memory after effective lifetime vulnerability in their UA Toolkit and smartLink products.

WAGO Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the WAGO 750-8xx series PLCs.

Western Digital - Western Digital published an advisory that describes an uncontrolled search path element vulnerability in their SanDisk PrivateAccess Desktop App.

Updates

Dell Updates - Dell published an update for their Wyse Password Encoder advisory that was originally published on February 1^st, 2019.

HP Update #1 - HP published an update for their Intel 2023.4 IPU advisory that was originally published on December 11^th, 2023.

HP Update #2 - HP published an update for their AMI UEFI Firmware advisory that was originally published on January 26^th, 2024.

HP Update #3 - HP published an update for their Intel Graphics Drivers advisory that was originally published on November 15^th, 2023.

HP Update #4 - HP published an update for their AMD SMM Supervisor advisory that was originally published on December 7^th, 2023.

HP Update #5 - HP published an update for their AMD Client UEFI Firmware advisory that was originally published on January 8^th, 2024.

Siemens Update #1 - Siemens published an update for their n SIMATIC STEP 7 advisory that was originally published on June 13^th, 2023.

Siemens Update #2 - Siemens published an update for their SINEC NMS advisory that was originally published on February 13^th, 2023.

Siemens Update #3 - Siemens published an update for their Polarion ALM advisory that was originally published on February 13^th, 2024.

Siemens Update #4 - Siemens published an update for their e OPC UA Implementation advisory that was originally published on September 12^th, 2023 and most recently updated on February 13^th, 2024.

Siemens Update #5 - Siemens published an update for their Web Server of Industrial Products Advisory that was originally published on December 12, 2023.

Siemens Update #6 - Siemens published an update for their SIMATIC S7-1500 CPUs advisory that was originally published on December 12^th, 2023.

Siemens Update #7 - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on December 13^th, 2022 and most recently updated on September 12^th, 2023.

Siemens Update #8 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on December 12^th, 2023 and most recently updated on February 13^th, 2024.

Siemens Update #9 - Siemens published an update for their SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family that was originally published on November 14^th, 2023 and most recently updated on December 12^th, 2023.

Siemens Update #10 - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on April 11^th, 2023 and most recently updated on September 12, 2023.

Siemens Update #11 - Siemens published an update for their Simcenter Femap advisory that was originally published on February 13^th, 2024.

Researcher Reports

FortiGuard Report - Horizon3 published a report describing six vulnerabilities in the Fortinet FortiWLM product.

Exploits

FortiGuard Exploit - H4x0r-dz published an exploit for an out-of-bounds write vulnerability that is on the CISA Known Exploited Vulnerabilities Catalog.

Hitachi Exploit - Arslan Masood published an exploit for an improper authentication vulnerability in the Hitachi NAS.

Honeywell Exploit - BYTEHUNTER published an exploit for a command injection vulnerability in the Honeywell PM43 industrial printers.

Solar View Exploit - BYTEHUNTER published an exploit for a command injection vulnerability in the Solar View compact product.

VMware Exploit - Abdualhadi Khalifa published an exploit for a missing authentication for critical function vulnerability in the VMware Cloud Director.

 

For more information on these disclosures, including a brief description of changes in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-5d3 - subscription required.

Review – 14 Advisories and 1 Update Published – 3-14-24

Today, CISA’s NCCIC-ICS published fourteen control system security advisories for products from Mitsubishi Electric, Softing, Delta Electronics, and Siemens (11). They also updated an advisory for products from Mitsubishi.

Advisories

Mitsubishi Advisory - This advisory describes five vulnerabilities in the Mitsubishi MELSEC-Q/L Series products.

Softing Advisory - This advisory describes two vulnerabilities in the Softing edgeConnector and edgeAggregator products.

Delta Advisory - This advisory describes ten vulnerabilities in the Delta DIAEnergie product.

RUGGEDCOM Advisory #1 - This advisory discusses 38 vulnerabilities (two on the CISA KEV catalog) in the Siemens RUGGEDCOM APE1808 devices.

RUGGEDCOM Advisory #2 - This advisory discusses seven vulnerabilities (two on KEV catalog) in the Siemens RUGGEDCOM APE1808.

Siveillance Advisory - This advisory describes an incorrect authorization vulnerability in the Siemens Siveillance Control physical security information management system.

Sinteso Advisory - This advisory describes three vulnerabilities in the Siemens Sinteso EN and Cerberus PRO EN fire protection systems.

SCALANCE Advisory - This advisory describes two vulnerabilities in the Siemens SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG families.

SIMATIC Advisory - This advisory discusses 157 vulnerabilities in the Siemens SIMATIC mobile RFID reader. These are third-party vulnerabilities.

SENTRON Advisory - This advisory describes a hidden functionality vulnerability in the Siemens SENTRON 3KC ATC6 Expansion Module Ethernet.

SINEMA Advisory #1 - This advisory describes an insertion of sensitive information into an externally-accessible file or directory vulnerability in the Siemens SINEMA Remote Connect Client.

SINEMA Advisory #2 - This advisory discusses two vulnerabilities in the Siemens SINEMA Remote Connect Server.

Solid Edge Advisory - This advisory describes an out-of-bounds read vulnerability in the Siemens Solid Edge product.

SENTRON Advisory - This advisory describes an improper access control vulnerability in the Siemens SENTRON 7KM PAC3120 and 7KM PAC3220 products.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on May 23^rd, 2023 and most recently updated on September 12^th, 2023.

 

For more information on these advisories, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-and-1-update-published-668 - subscription required.

Review – Public ICS Disclosures – Week of 8-5-23 – Part 2

For Part 2 we have a vendor disclosure for products from Schneider. There are also 17 vendor updates from B&R, FortiGuard, Schneider (3) and Siemens (12). Finally, we have 20 researcher reports for products from Advantech, BlueMark, NVIDIA, Softing (11), and Inductive Automation (6).

Advisories

Schneider Advisory - Schneider published an advisory that describes an improper restriction of operations within the bounds of a memory buffer in their Pro-face GP-Pro EX product.

Updates

B&R Update - B&R published an update for their SLP based traffic advisory that was originally published on May 31^st, 2023.

FortiGuard Update - FortiGuard published an update for their FortiOS buffer overflow advisory that was originally published on July 28^th, 2023.

Schneider Update #1 - Schneider published an update for their EcoStruxure Control Expert advisory that was originally published on January 10^th, 2023, and most recently updated on March 14^th, 2023.

Schneider Update #2 - Schneider published an update for their EcoStruxure Control Expert advisory that  was originally published on January 10^th, 2023, and most recently updated on July 11^th, 2023.

Schneider Update #3 - Schneider published an update for their CODESYS Runtime advisory that was originally published on July 11^th, 2023.

Siemens Update #1 - Siemens published an update for their Multiple File Parsing advisory that was originally published on May 9^th, 2023.

Siemens Update #2 - Siemens published an update for their Authentication Bypass advisory that was originally published on March 14^th, 2023 and most recently updated on June 13^th, 2023.

Siemens Update #3 - Siemens published an update for their Linux Kernel advisory that was originally published on June 13^th, 2023 and most recently updated on July 11^th, 2023.

Siemens Update #4 - Siemens published an update for their File Parsing Vulnerabilities advisory that was originally published on July 11^th, 2023.

Siemens Update #5 - Siemens published an update for their OPC Foundation advisory that was originally published on April 11^th, 2023 and most recently updated on June 13^th, 2023.

Siemens Update #6 - Siemens published an update for their IPU 2022.3 Vulnerabilities advisory that was originally published on February 14^th, 2023 and most recently updated on July 11^th, 2023.

Siemens Update #7 - Siemens published an update for their Missing CSRF Protection advisory that was originally published on November 8^th, 2022, and most recently updated on July 11^th, 2023.

Siemens Update #8 - Siemens published an update for their additional GNU/Linux subsystem advisory that was originally published on November 27^th, 2018 and most recently updated on July 11^th, 2023.

Siemens Update #9 - Siemens published an update for their Insyde BIOS Vulnerabilities advisory that was originally published on May 22^nd, 2022 and most recently updated on July 11^th, 2023.

Siemens Update #10 - Siemens published an update for their SISCO Stack Vulnerability advisory that was originally published on December 13^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #11 - Siemens published an update for their Privilege Management Vulnerability advisory that was originally published on December 13^th, 2022. 

Researcher Reports

Advantech Report - CyberDanube published a report that describes two cross-site scripting vulnerabilities in the Advantech EKI-1524-CE series, EKI-1522 series, EKI-1521 series products.

BlueMark Reports - Nozomi Networks published three reports about individual vulnerabilities in the BlueMark DroneScout ds230 Remote ID receiver.

NVIDIA Reports - Cisco TALOS published three reports for individual vulnerabilities in the NVIDIA GPU Display Driver.

Softing Report #1 - ZDI published a report that describes a resource exhaustion vulnerability in the Softing edgeConnector product.

Softing Report #2 - ZDI published a report that describes a directory traversal vulnerability in the Softing Integration Server.

Softing Reports #3-5 - ZDI published three reports of individual vulnerabilities in the Softing edgeAggregator.

Softing Reports #6-9 - ZDI published four reports of individual vulnerabilities in the Softing Secure Integration Server.

Softing Report #10 - ZDI published a report of a NULL pointer dereference vulnerability in the Softing edgeConnector.

Softing Report #11 - ZDI published a report of a hard-coded cryptographic key vulnerability in the Softing Secure Integration Server.

Inductive Automation Reports - ZDI published six reports of vulnerabilities in the Inductive Automation Ignition product.

 

For more details on these disclosures, including a brief summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-1b8 - subscription required.

Review – Public ICS Disclosures – Week of 7-1-23

This week we have eleven vendor disclosures from Aruba Networks, Bosch (2), Enphase, Frauscher Sensortechnik, Hikvision, Moxa, Softing (2), VMware and Zyxel. And we have 29 researcher reports for products from Panasonic (3), Milesight (25), and Siemens.

Advisories

Aruba Advisory - Aruba published an advisory that describes nine vulnerabilities in the Aruba OS products.

Bosch Advisory #1 - Bosch published an advisory that discusses two vulnerabilities in their FL MGUARD family devices.

Bosch Advisory #2 - Bosch published an advisory that discusses a missing authentication for critical function vulnerability in their SLC-0-GPNT00300 interface module.

Enphase Advisory - Enphase published an advisory that describes an OS command injection vulnerability in their Enphase IQ Gateway (Envoy).

Frauscher Advisory - CERT-VDE published an advisory that describes a path traversal vulnerability in the Frauscher Diagnostic System FDS001 for FAdC R1 and FAdCi R1.

Hikvision Advisory - Hikvision published an advisory that describes two vulnerabilities in their access control/intercom products.

Moxa Advisory - Moxa published an advisory that describes an observable response discrepancy vulnerability in their TN-5900 Series product.

Softing Advisory #1 - Softing published an advisory that describes two vulnerabilities in their OPC UA C++ SDK and Secure Integration Server.

Softing Advisory #2 - Softing published an advisory that describes an uncontrolled resource consumption vulnerability in a number of their products.

VMware Advisory - VMware published an advisory that describes an authentication bypass vulnerability in their SD-WAN (Edge) product.

Zyxel Advisory - Zyxel published an advisory that describes a classic buffer overflow vulnerability in their 4G LTE and 5G NR outdoor routers.

Researcher Reports

Panasonic Reports - AWESEC published three reports describing individual vulnerabilities in the Panasonic Panasonic AiSEG2.

Milesight Reports - Talos Intelligence published 25 reports (some with multiple vulnerabilities) for the Milesight UR32L urvpn_client and MilesightVPN server.

Siemens Report - SEC Consult published a report describing the four vulnerabilities in the Siemens A8000 product.

 

For more details about these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-bcb - subscription required.

Review – Public ICS Disclosures – Week of 10-8-22 – Part 1

This is a moderately busy Saturday after 2^nd Tuesday. For Part 1 this week, we have fifteen vendor disclosures from Aruba, Bentley (3), Eaton, GE Healthcare, Hitachi Energy, HP, Palo Alto Networks, Phoenix Contact, PulseSecure, Softing (2), TandD, and VMware.

Aruba Advisory - Aruba published an advisory describing three vulnerabilities in their EdgeConnect Enterprise Orchestrator.

Bentley Advisory #1 - Bentley published an advisory that describes an out-of-bounds read vulnerability in their MicroStation And MicroStation-Based Applications.

Bentley Advisory #2 - Bentley published an advisory that describes a stack-based buffer overflow vulnerability in their MicroStation And MicroStation-Based Applications.

Bentley Advisory #3 - Bentley published an advisory that describes an out-of-bounds read vulnerability in their MicroStation and MicroStation-Based Applications.

Eaton Advisory - Eaton published an advisory that describes an unrestricted file upload vulnerability in their Foreseer EPMS.

GE Healthcare Advisory - GE published an advisory that provides guidance on securing serial ports in medical devices.

Hitachi Energy Advisory - Hitachi published an advisory that discusses two vulnerabilities in their MicroSCADA X DMS600

product.

HP Advisory - HP published an advisory that discusses eleven vulnerabilities in their GPU Display Driver.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that describes an authentication bypass vulnerability in their Pan-OS product.

Phoenix Contact Advisory - CERT-VDE published an advisory that discusses 83 vulnerabilities in the Phoenix Contact PLCnext Control.

PulseSecure Advisory - PulseSecure published an advisory that describes two denial of service vulnerabilities in their Ivanti Connect Secure products.

Softing Advisory #1 - Softing published an advisory that describes a use after free vulnerability in their OPC UA C++ SDK and OPC Suite products.

Softing Advisory #2 - Softing published an advisory that describes an input validation vulnerability in their OPC UA C++ SDK, Secure Integration Server, edgeConnector, edgeAggregator, uaGate and OPC Suite products.

TandD Advisory - TandD published an advisory that describes a denial-of-service vulnerability in their TR4 Series devices

NOTE: TandD does not call this a ‘vulnerability’ they call it a problem “whereby internal communication between components fails” which kind of sounds like a ‘denial-of-service’ vulnerability to me.

VMware Advisory - VMware published an advisory that describes an arbitrary file read vulnerability in their VMware vRealize Operations product.

 

For more information on these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-c00 - subscription required.

Review – Public ICS Disclosure – Week of 8-13-22

This week we have ten vendor disclosures from Aruba Networks, Aveva, Broadcom, Flexera, GE Grid Solutions, QNAP (2), Softing and WAGO (2). There are five vendor updates from B&R, Mitsubishi Electric, Palo Alto Networks, and Schneider (2). We also have a researcher report for products from Boeing. Finally, we have four exploits for products from Palo Alto Networks, FLIR (2), and Advantech.

Aruba Advisory - Aruba published an advisory that describes a sensitive information disclosure vulnerability in their Virtual Internet Access client for Windows.

Aveva Advisory - Aveva published an advisory that describes six vulnerabilities in their Edge product (formerly Indusoft Web Studio).

NOTE: Aveva reports that the vulnerabilities were coordinated through ‘ICS-CERT’ and ZDI, so I expect that there will be a NCCIC-ICS advisory next week.

Broadcom Advisory - Broadcom published an advisory that discusses an OS command injection vulnerability in their SANnav products.

Flexera Advisory - Revenera published an advisory that discusses two vulnerabilities in their FlexNet Publisher.

GE Grid Advisory - GE published an advisory for their Reason S20 product.

QNAP Advisory #1 - QNAP published an advisory that discusses seven vulnerabilities in their NAS products.

QNAP Advisory #2 - QNAP published an advisory that discusses five vulnerabilities in their NAS products.

Softing Advisory - Softing published an advisory that discusses five vulnerabilities in their OPC UA .NET SDK products.

WAGO Advisory #1 - CERT-VDE published an advisory that discusses six vulnerabilities in multiple WAGO product families.

WAGO Advisory #2 - CERT-VDE published an advisory that discusses four vulnerabilities in multiple WAGO product families.

B&R Update - B&R published an update for their Project Upload advisory that was originally published on January 20^th, 2022.

Mitsubishi Update - Mitsubishi published an update for their OpenSSL advisory that was originally published on August 2^nd, 2022.

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN-OS advisory that was originally published on August 10^th, 2022.

Schneider Update #1 - Schneider published an update for their OPC UA advisory that was originally published on July 12^th, 2022 and most recently updated on August, 9^th, 2022.

Schneider Update #2 - Schneider published an update for their APC Smart-UPS advisory that was originally published on March 8^th, 2022 and most recently updated on July 12^th, 2022.

Boeing Report - Pen Test Partners published a report describing two vulnerabilities in the Boeing Onboard Performance Tool (OPT).

Palo Alto Networks Exploit - UnD3sc0n0c1d0 published an exploit for an OS command injection vulnerability in the Palo Alto PAN-OS.

FLIR Exploit #1 - Samy Younsi published an exploit for a remote command execution vulnerability in the FLIR AX8 thermal imaging camera.

FLIR Exploit #2 - Samy Younsi and Thomas Knudsen published an exploit for three vulnerabilities in the FLIR AX8 thermal imaging camera.

Advantech Exploit - Rgod, Shelby Pace, and Y4er published a Metasploit module for a command injection vulnerability in the Advantech iView NetworkServlet.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-8-13 - subscription required.

Review – 7 Advisories and 1 Update Published – 8-16-22

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Sequi, Emerson, B&R, Delta Industrial, Softing, LS Industrial Systems, and Yokogawa. They also updated an advisory for products from Siemens.

Sequi Advisory - This advisory describes two vulnerabilities in the Sequi PortBloque S serial Modbus firewall.

Emerson Advisory - This advisory describes six vulnerabilities in the Emerson Proficy Machine Edition.

B&R Advisory - This advisory describes an improper input validation vulnerability in the B&R Automation Studio PLC programming software.

NOTE: While this vulnerability was discussed in the Evil PLC Attack paper, it was originally reported by B&R on January 20^th, 2022 which I reported earlier. B&R updated their advisory this week, adding a reference to the Evil PLC Attack paper.

Delta Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Delta DRAS controller software suite.

Softing Advisory - This advisory describes nine vulnerabilities in the Softing Secure Integration Server.

LS Industrial Advisory - This advisory describes an inadequate encryption strength vulnerability in the LS Industrial LS ELEC PLC and XG5000.

Yokogawa Advisory - This advisory describes a resource management errors vulnerability in the Yokogawa CENTUM VP/CS 3000 Controller FCS products.

NOTE: I briefly reported this vulnerability on July 30^th, 2022.

Siemens Update - This update provides additional information on an advisory that originally published on May 12^th, 2022 and most recently updated on July 12^th, 2022.

NOTE: I briefly reported this update on Sunday.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-1-update-published-589 - subscription required.

Review – Public ICS Disclosures – Week of 3-5-22 – Part 2

For Part 2 we have fourteen more vendor disclosures from HP (2), HPE (4), Medtronic, Palo Alto Networks (2), Philips (2), Softing (2), and Yokogawa. We also have updates from Axis and HPE. There is also an end-of-life notice from Honeywell. Finally, there are also two exploits for products from Siemens and the DirtyPipe vulnerability. Part 3 will be the Siemens and Schneider 2^nd Tuesday advisories and updates not covered by NCCIC-ICS.

HP Advisory #1 - HP published an advisory describing eleven vulnerabilities in the system BIOS of certain HP PC products.

HP Advisory #2 - HP published an advisory describing an out-of-bounds write vulnerability in various HP PC products.

HPE Advisory #1 - HPE published an advisory discussing seven vulnerabilities with multiple public exploits in their HPE Cray System Software.

HPE Advisory #2 - HPE published an advisory discussing two vulnerabilities with multiple publicly available exploits in their HPE B-Series SANnav Management Software.

HPE Advisory #3 - HPE published an advisory discussing the PwnKit vulnerability in their PE Nimble Storage and HPE Alletra 6000 Peer Persistence Witness OVA products.

HPE Advisory #4 - HPE published an advisory discussing the PwnKit vulnerability in their Virtualized Converged NonStop X NS2 VHOST CLIMs.

Medtronic Advisory - Medtronic published an advisory discussing the Access:7 vulnerabilities.

Moxa Advisory - Moxa published an advisory discussing the PwnKit vulnerability.

Palo Alto Advisory #1 - Palo Alto published an advisory describing a use of password has with insufficient computational effort vulnerability in their PAN-OS.

Palo Alto Advisory #2 - Palo Alto published an advisory discussing an out-of-bounds read vulnerability (with a known exploit) in their PAN-OS.

Philips Advisory #1 - Philips published an advisory discussing the Access:7 vulnerabilities.

Philips Advisory #2 - Philips published an advisory discussing the TLStorm vulnerabilities.

Softing Advisory #1 - Softing published an advisory describing an improper input validation vulnerability in their OPC UA C++ SDK products.

Softing Advisory #2 - Softing published an advisory describing an improper input validation vulnerability in their OPC UA C++ SDK products.

Yokogawa Advisory - Yokogawa published an advisory describing three vulnerabilities in their CENTUM VP product. The vulnerabilities were reported by FSTEC of Russia.

Axis Update - Axis published an update for their AXIS IP Utility advisory that was originally published on February 14^th, 2022.

HPE Update - HPE published an update for their HPE SAN Switches advisory that was originally published on July 22^nd, 2021.

Honeywell EOL Notice - Honeywell published an EOL notice for their OmniAssure Touch Readers.

Siemens Exploit - RoseSecurity published an exploit for an unauthenticated Siemens S7-1200 CPU Start/Stop Command.

DirtyPipe Exploit - Max Kellermann  published a Metasploit module for the DirtyPipe vulnerability.

 

For more details about these disclosures, including links to third-party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-873 - subscription required.

Review - 3 Advisories and 2 Updates Published – 6-17-21

Today CISA’s NCCIC-ICS published three control system security advisories for products from Advantech, Softing, and Schneider electric. They also published updated advisories for products from Rockwell Automation and WAGO.

Advantech Advisory - This advisory describes two vulnerabilities in the Advantech WebAccess/SCADA.

Softing Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Softing OPC-UA C++ Software Development Kit.

Schneider Advisory - This advisory describes an improper privilege management vulnerability in the Schneider Enerlin'X Com’X 510 energy server.

Rockwell Update - This update provides additional information on an advisory that originally published on January 21^st, 2021 and most recently updated on February 16^th, 2021.

WAGO Update - This update provides additional information on an advisory that originally published on January 21^st, 2021 and most recently updated on February 16^th, 2021.

For more detailed look at the advisories and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-2-updates-published (subscription required).

Public ICS Disclosures – Week of 3-27-21

This week we have four vendor disclosures from Bosch (2), Dell, and VMware. There is an update from CODESYS. We also have three researcher reports for products from Rockwell Automation and Softing (2). Finally, we have an exploit for ScadaBR.

Bosch Advisories

Bosch published an advisory describing a stack-based buffer overflow in their Rexroth ActiveMover product using Ethernet IP. This is a third-party (Hilscher) vulnerability. Bosch has a newer version that mitigates the vulnerabilty.

 

Bosch published an advisory describing a stack-based buffer overflow in their Rexroth ActiveMover using Profinet. This is a third-party (Hilscher) vulnerability. Bosch provides generic workarounds to mitigate the vulnerability.

Dell Advisory

Dell published an advisory describing a configuration vulnerability in their Wyse ThinOS. The vulnerability was reported by Emanuel Rodrigues. Dell has new versions that mitigate the vulnerability. There is no indication that Rodrigues has been provided an opportunity to verify the efficacy of the fix.

VMware Advisory

VMware has published an advisory describing two vulnerabilities in their vRealize Operations product. The vulnerabilities were reported by Egor Dimitrenko of Positive Technologies. VMware has updates that mitigate the vulnerabilities. There is no indication that Dimitrenko has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Server-side request forgery - CVE-2021-21975, and

• Arbitrary file write - CVE-2021-21983

NOTE: Tenable has published a report on these vulnerabilities.

CODESYS Update

CODESYS published an update [.PDF download link] for their Control V3 password handling advisory that was originally published on August 1^st, 2019 and most recently updated on May 14^th, 2020. The new information includes:

• Enabling online user management by default,

• Adding additional JIRA reference CDS-73742, and

• Extending available software updates by V3.5.17.0 update

NOTE: The NCCIC-ICS advisory (ICSA-19-213-04) has not yet been updated.

Rockwell Report

Claroty published a report on the Rockwell FactoryTalk AssetCentre vulnerabilities that were announced earlier this week.

Softing Reports

Gruppo Tim published two reports for vulnerabilities in the Softing AG OPC Toolbox. The reports contain proof of concept code. There is no indication that Softing has been contacted.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2021-29661, and

• Cross-site request forgery - CVE-2021-29660

ScadaBR Exploit

Fellipe Oiveira published an exploit for an arbitrary file upload vulnerability in the ScadaBR. There are no CVEs or indications that the vendor has been contacted. This may be a 0-day exploit.

Public ICS Disclosures – Week of 10-17-20

We have one new vendor disclosure this week for products from HMS. We also have three vendor updates for products from Rockwell and Schneider (2). We also have news of a possible cyberattack on Softing, a control system vendor.

HMS Advisory

HMS published an advisory discussing the BLURtooth vulnerability. HMS reports that none of their products are affected by this vulnerability.

NOTE: The BLURtooth vulnerability is a currently unpatched vulnerability in some implementations of the Bluetooth standard that allows attacker-in-the-middle exploits. I expect that we will be seeing more vendor communications about this vulnerability in the coming weeks, especially from medical device manufacturers where the use of Bluetooth is more common.

Rockwell Update

Rockwell published an update for their advisory on OSIsoft PI System vulnerabilities that was originally published on May 12^th, 2020. The new information includes new version information for vulnerability mitigation.

Schneider Updates

Schneider published an update for their Ripple20  advisory. The new information includes:

• Adding remediation for “EGX150/Link150 Ethernet Gateway”, “Acti9 PowerTag Link / HD”, “Acti9 Smartlink SI D”, and “Acti9 Smartlink SI B”, and

• Adding PowerLogic EGX100 to affected products list.

Schneider published an update for their APC by Schneider Electric Network Management Cards advisory that was originally published on June 23^rd, 2020 and most recently updated on September 1^st, 2020. The new information includes updated overview section, available remediations and affected products tables (some affected products were moved from the above advisory to this one).

Vendor News

When I checked the Softing advisory web page today an interesting popup appeared. It said:

“IMPORTANT NOTE:

“Softing AG fell victim to targeted cyber attacks through no fault of its own. Unknown perpetrators have invaded the internal networks. In order to avoid possible damage to the IT infrastructure, we have severely restricted the external communication options.

“For urgent inquiries we are still available to our customers under the following contact details:

“Softing Industrial Automation: +49 15119489547”

A brief Google® search reveals no news items about this attack.

As always with an attack on a control system vendor we have to be concerned about the potential product security problems that could arise from the compromise of the system. Access to product source code could allow for easier vulnerability detection by the attacker or even possible modification of that source code to insert vulnerabilities. Access to vendor web site code could allow for the establishment of drive-by code. None of the above is a given, but it does provide an area for potential concern, particularly if the company is not completely forthcoming about the extent of the attack. Hopefully we are just be early in the news cycle on this attack and more information will become publicly available in the coming days.

3 Advisories and 1 Update Published – 7-28-20

Today the CISA NCCIC-ICS published three control system security advisories for products from HMS Industrial Networks, Softing Industrial, and Secomea. They also published an update for an advisory for products from Delta Industrial Automation.

HMS Advisory

This advisory describes a stack-based buffer overflow in the HMS eCatcher VPN client. The vulnerability was reported by Sharon Brizinov of Claroty. HMS has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device being accessed. In addition, a buffer overflow condition may allow remote code execution with highest privileges.

NOTE: I briefly discussed this vulnerability earlier this month.

Softing Advisory

This advisory describes two vulnerabilities in the Softing OPC. The vulnerabilities were reported by Uri Katz of Claroty. Softing has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-14524, and

• Uncontrolled resource consumption - CVE-2020-14522

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device being accessed. A buffer-overflow condition may also allow remote code execution.

Secomea Advisory

This advisory describes four vulnerabilities in the Secomea GateManager VPN manager. The vulnerabilities were reported by Sharon Brizinov and Tal Keren of Claroty. Secomea has a new versin that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper neutralization of null byte or null character - CVE-2020-14500,

• Off-by-one error - CVE-2020-14508,

• Use of hard-coded credentials - CVE-2020-14510, and

• Use of password hash with insufficient computational effort - CVE-2020-14512

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain remote code execution on the device.

Delta Update

This update provides additional information on an advisory that was originally published on June 30^th, 2020. The new information includes a link to a new version that mitigates the vulnerabilities.