Public ICS Disclosures – Week of 1-22-22

This week we have eight vendor disclosures from Bosch, CODESYS, Dell, GE Gas Power, Hitachi, HPE (2), Phoenix Contact. We have seven vendor updates from Dell, ABB (2), Honeywell, QNAP, Siemens, and VMware. We also have 17 researcher reports for products from Reolink (14), Moxa (2), and WAGO.

NOTE: This week’s post includes a number of Log4Shell updates and one new advisory. As I mentioned last week, there will probably not be any more stand-alone Log4Shell posts.

Bosch Advisory

Bosch published an advisory describing an HTML code injection vulnerability in their Android Application, Bosch Video Security. The vulnerability was reported by Sergey Toshin of Oversecured. Bosch has a new version that mitigates the vulnerability. There is no indication that Toshin has been provided an opportunity to verify the efficacy of the fix.

CODESYS Advisory

CODESYS published an advisory describing a NULL pointer dereference vulnerability in their CODESYS PROFINET. CODESYS has a new version that mitigates the vulnerability.

Dell Advisory

Dell published an advisory describing two vulnerabilities in their Wyse Windows Embedded System. These are third-party (OpenSSL) vulnerabilities. Dell has updated versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Classic buffer overflow - CVE-2021-3711, and

• Out-of-bounds read - CVE-2021-3712

GE Gas Power Advisory

GE Gas Power published an advisory discussing the Log4Shell vulnerabilities. They provide a list of affected products with mitigation measures for most of the affected products. It appears that most of the products are affected through 3rd party components.

Hitachi Advisory

Hitachi published an advisory discussing 83 vulnerabilities in their Disc Array Systems. These are third-party (Windows) vulnerabilities. Hitachi has new versions that mitigate the vulnerabilities.

HPE Advisories

HPE published an advisory describing a buffer overflow vulnerability in their FlexNetwork 5130 EL Switch Series. The vulnerability was reported by Qian Chen of the Codesafe Team. HPE has a new version that mitigates the vulnerability. There is no indication that Qian has been provided an opportunity to verify the efficacy of the fix.

HPE published an advisory describing an unquoted search path vulnerability in their Agentless Management Service for Windows product. The vulnerability was reported by Daisuke Ota of PwC Consulting. HPE has new versions that mitigate the vulnerability. There is no indication that Ota has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact Advisory

Phoenix Contact published an advisory describing an incorrect privilege assignment vulnerability in their FL SWITCH 2xxx series products. Phoenix Contact has new versions that mitigate the vulnerability. Earlier (than 3.00) versions the products are not affected.

Dell Update

Dell published an update for their general Log4Shell advisory. The new information includes an updated affected product list.

ABB Updates

ABB published an update for their BadAlloc advisory that was originally published on August 19th, 2021. The new information includes:

• Updating to Hitachi format, and

• Providing link to fixed version.

• ABB published an update for their Log4Shell Advisory. The new information includes:

• Noting that NM SCADA/EMS, Ranger or NMR are only affected through 3rd party components, and

• Adding a patch validation report.

Honeywell Update

Honeywell published an update for their Log4Shell advisory.

QNAP Update

QNAP published an update for their QTS and QuTS hero that was originally published on January 13th, 2021. The new information includes updated affected versions.

Siemens Update

Siemens published an update for their Log4Shell advisory. The new information includes:

• Adding Teamcenter Active Workspace (AW), Microservices Framework (MSF) and Reporting and Analytics (TcRA) to the affected products list,

• Removing Teamcenter Requirements from the affected products list, and

• Adding additional products considered as not affected

VMware Update

VMware published an update for their VMware Workstation, Fusion and ESXi advisory that was originally published on January 4th, 2022. The new information includes adding ESXi 7.0 to the list of affected products.

Reolink Reports

Talos published 14 reports about 76 vulnerabilities in the Reolink RLC-410W camera. These were coordinated disclosures and Reolink has reportedly developed a patch to mitigate the vulnerabilities. Each report contains proof-of-concept exploit code.

The reported vulnerabilities include:

• Memory corruption - CVE-2022-21796,

• Authentication bypass - CVE-2021-40404,

• OS command injection (6) - CVE-2021-40407, CVE-2021-40408, CVE-2021-40409, CVE-2021-40410, CVE-2021-40411, and CVE-2021-40412,

• Out-of-bounds write - CVE-2022-21217,

• Denial of service (4) - CVE-2021-40406, CVE-2022-21801, CVE-2021-40405, and CVE-2021-40423,

• Firmware update (2) - CVE-2022-21134, and CVE-2021-40419,

• Information disclosure (2) - CVE-2022-21199, and CVE-2022-21236,

• Incorrect default permission (4) - CVE-2021-40413, CVE-2021-40414, CVE-2021-40415, and CVE-2021-40416, and

• JSON command parser (55) – CVE-2021-44354 thru -44419

Moxa Reports

Korelogic published two reports about two vulnerabilities in the Moxa TN-5900 secure routers. These vulnerabilities have been previously reported by Moxa. The Korelogic reports contain proof-of-concept code.

The two reported vulnerabilities are:

• OS command injection - CVE-2021-46560, and

• Improper validation of integrity check value - CVE-2021-46559

WAGO Report

SEC Consult published a report about four vulnerabilities in the WAGO 750-8xxx PLC. The first of these vulnerabilities was previously disclosed by WAGO. The SEC Consult report includes proof-of-concept code.

The four reported vulnerabilities are:

• Denial of service - CVE-2021-34593,

• Enumeration of users,

• Outdated software with known vulnerabilities, and

• Insufficient hardening of binaries.