Review - Public ICS Disclosures – Week of 10-23-21 – Part 2

In Part 2 we have an additional eleven vendor disclosures from GPSD, Ingeteam, Hitachi ABB Power Grids, HPE (2), QNAP, Tanzu (4), and Yokogawa. We have an updated disclosure for OMRON products. Finally we have two exploits for products from Hikvision and SonicWall,

GPSD Advisory - Incibe CERT published an advisory discussing the GPS Daemon Rollover Bug (CISA published a short advisory on the same topic).

Ingeteam Advisory - Incibe CERT published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the Ingeteam INGEPAC DA AU ring main unit.

Hitachi ABB Advisory - Hitachi ABB published an advisory describing a certificate verification vulnerability in their PCM600 Engineering Tool.

HPE Advisory #1 - HPE published an advisory describing a directory traversal vulnerability in their iLO Amplifier Pack.

HPE Advisory #2 - HPE published an advisory describing a local bypass of security restrictions vulnerability in their HPE ProLiant products.

QNAP Advisory - QNAP published an advisory describing a command injection vulnerability in their Media Streaming Add-On.

Tanzu Advisory #1 - Tanzu published an advisory discussing a shared interface vulnerability in their Spring by VMware products.

Tanzu Advisory #2 - Tanzu published an advisory describing a security bypass vulnerability in their Spring Data REST products.

Tanzu Advisory #3 - Tanzu published an advisory describing a deserialization of a maliciously constructed java.util.dictionary object in their Spring-AMQP product.

Tanzu Advisory #4 - Tanzu published an advisory describing a log injection vulnerability in their Spring Framework.

Yokogawa Advisory - Yokogawa published an advisory discussing an unsupported Microsoft XML version vulnerability in many of their products.

OMRON Update - JP CERT published an update for the OMRON CS-Supervisor advisory that was originally published on October 15^th, 2021.

Hikvision Exploit - Bashis published an exploit for a command injection vulnerability in the Hikvision web server.

Sonic Wall Exploit - The Vulnerability Lab published an exploit for a cross-site scripting vulnerability in the Sonicwall SonicOS.

For more details on the advisories, updates and exploits, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-a7c - subscription required.

Two Advisories and Three Updates Published – 02-14-19

Today the DHS NCCIC-ICS published two control system security advisories for products from gpsd Open Source Project and Pangea. They also updated three previously published advisories for products from Fuji and Siemens (2). The gpsd advisory was originally published on the HSIN ICS-CERT library on November 6, 2018.

gpsd Advisory

This advisory describes a stack-based buffer overflow vulnerability in the gpsd, an open-source GPS framework. The vulnerability was reported by GE Digital Cyber Security Services, working with GE-PSIRT. A new version is available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow remote code execution, data exfiltration, or denial-of service via device crash.

Note: This advisory is a ‘third-party vendor’ vulnerability report. NCCIC-ICS reports that gpsd can be found in many mobile embedded systems such as Android phones, drones, robot submarines, driverless cars, manned aircraft, marine navigation systems, and military vehicles.

Pangea Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pangea Internet FAX Analog Telephone Adapter (ATA). The vulnerability was reported by Ankit Anubhav of NewSky Security. Pangea has a patch deployed that mitigates the vulnerability. There is no indication that Anubhav has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to cause the device to reboot and create a continual denial-of-service condition.

Fuji Update

This update provides additional information on an advisory that was originally published on September 27^th, 2018. The update announces the availability of a new firmware version that mitigates the vulnerabilities.

Licensing Software Update

This update provides additional information on an advisory that was originally published on February 12^th, 2019. The update makes a number of editorial corrections in the data presentation on the vulnerabilities reported. I missed identifying these inconsistencies as I reported on the vulnerabilities based upon the Talos reports. The update still does not mention that there are publicly available exploits for these vulnerabilities from those reports.

PROFINET Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, 2017, November 14^th, 2017, January 23^rd, 2018, February 27^th, 2018, and most recently on June 21^st, 2018. The update provides updated affected version information and mitigation links for SINAUT ST7CC.