Public ICS Disclosures – Week of 1-6-24
Part 1
This week we have 12 vendor disclosures from Bosch (2), FortiGuard, GE Gas Power, HPE, Insyde, Palo Alto Networks, SEL, and Splunk (4). We also have three vendor updates from Broadcom, and HP (2). There are three researcher reports for products from X-Rite (2) and Bosch. Finally, we have exploits for products from Advantech and Signalwire.
As is typical for the Saturday after Cyber Tuesday, I will be looking at this week’s advisories and updates from Schneider and Siemens in Part 2.
Bosch Advisories
Bosch published an advisory that describes 25 vulnerabilities in their Nexo cordless nutrunner. The vulnerabilities were reported by Nozomi Networks. Bosch continues to work on developing mitigation measures.
Bosch published an advisory that describes an excessive attack surface vulnerability in their BCC Thermostat Product. Bosch has a new firmware version that mitigates the vulnerability.
FortiGuard Advisory
FortiGuard published an advisory that describes an improper privilege management vulnerability in their FortiOS and FortiProxy products. FortiGuard has new versions that mitigate the vulnerability.
GE Gas Power Notice
GE Gas Power published a notice in response to a NERC Section 800 data request to assess the extent of cross-border operation control of Bulk Power System Elements. The notice provides a description of how the o GE Gas Power M&D product provides remote access to elements of the Bulk Power System.
HPE Advisory
HPE published an advisory that discusses four vulnerabilities (one of which is listed in CISA’s Known Exploited Vulnerabilities catalog) in their OneView software. The first of these is a third-party (Apache) vulnerabilities. HPE has a new version that mitigates the vulnerabilities.
The four reported vulnerabilities are:
Server-side request forgery - CVE-2021-40438 (KEV),
Command injection - CVE-2023-50274,
Authentication bypass - CVE-2023-50275, and
Missing pass phrase during restore - CVE-2023-6573
Insyde Advisory
Insyde published an advisory that discusses three vulnerabilities in their UEFI Bios. These are third-party (EDK2) vulnerabilities. Insyde has new kernel versions that mitigate the vulnerabilities.
The three reported vulnerabilities are:
Heap-based buffer overflow (2) - CVE-2022-36763 and CVE-2022-36764, and
Integer overflow - CVE-2022-36765
Palo Alto Networks Advisory
Palo Alto Networks published an advisory that discusses the Terrapin-Attack vulnerability. Palo Alto Networks reports that their PAN-OS software may be susceptible, depending on the configuration. They provide instructions on how to remove the affected encryption algorithms.
SEL Advisory
SEL announced that the latest version (5.2.0.5) of their SEL-5037 SEL Grid Configurator fixes a cybersecurity vulnerability that could allow an authenticated attacker to execute arbitrary code when the computer starts.
Splunk Advisories
Splunk published an advisory that describes an uncontrolled resource consumption vulnerability in their Splunk Enterprise Security product. Splunk has new versions that mitigate the vulnerability.
Splunk published an advisory that describes an improper input validation vulnerability in their Enterprise Security product. Splunk has new versions that mitigate the vulnerability.
Splunk published an advisory that discusses seven vulnerabilities in their Enterprise Security. These are third-party vulnerabilities. Splunk has new versions that mitigate the vulnerabilities.
The seven reported vulnerabilities are:
Incorrect comparison - CVE-2023-45133,
Inefficient regular expression complexity (4) - CVE-2021-23446 (exploit), CVE-2022-25883 (exploit), CVE-2022-37599, and CVE-2022-37603 (exploit), and
Prototype pollution (2) - CVE-2022-37601 (exploit) and CVE-2022-46175 (exploit)
Splunk published an advisory that discusses six vulnerabilities in their User Behavior Analytics software. These are third-party vulnerabilities. Splunk has new versions that mitigate the vulnerabilities.
The six reported vulnerabilities are:
Improper check for unusual or exception conditions - CVE-2023-32695,
Out-of-bounds write - CVE-2015-5237,
Improper input validation - CVE-2022-3171,
Parsing issue (2) - CVE-2022-3509 and CVE-2022-3510, and
Files or directories accessible to external parties - CVE-2023-2976
Broadcom Update
Broadcom published an update for their Netfilter subsystem advisory that was originally published on November 7th, 2023. The new information includes updating the Products Confirmed Not Affected list.
HP Updates
HP published an update for their Intel Optane SSD Firmware advisory that was originally published on November 20th, 2023. The new information includes updating version and SoftPaq information.
HP published an update for their Intel Rapid Storage Technology advisory that was originally published on November 20th, 2023. The new information includes adding 300 G4 products to the Business Notebook table.
X-Rite Reports
Claroty published two reports describing individual vulnerabilities in the X-Rite MA-T6 Kohinoor spectrophotometer firmware. There is no indication that the vendor has taken any measures to correct these vulnerabilities.
Improper access control - CVE-2023-49899, and
Improper sanitizing of user input - CVE-2023-49900
Bosch Report
Nozomi Networks published a report discussing nine vulnerabilities in the Bosch Rexroth ctrlX HMI WR21 (rebrand of Advantech TPC-110W HMI). Bosch reported these vulnerabilities on October 20th, 2023 and updated that advisory on November 21st, 2023. The report discusses how the vulnerabilities could be exploited.
Advantech Exploit
Cody 16 published an exploit for an SQL injection vulnerability in the Advantech Web/SCADA. There is no CVE listed, nor is there any indication that the vendor was contacted. This may be a 0-day exploit.
Signalwire Exploit
Amirhossein Bahramizadeh published an exploit for a race condition vulnerability in the Signalwire FreeSWITCH. Signalwire has a new version that mitigates the vulnerability.