Public ICS Disclosures – Week of 10-5-24
Part 1
This week for Part 1 we have 26 vendor disclosures from ABB (2), FortiGuard (2), Hitachi, HP, HPE (2), Moxa (2), Palo Alto Networks (7), PEPPERL+FUCHS, Phoenix Contact, and Schneider Electric (7).
In Part 2 we will have a few more vendor disclosures, vendor updates (including a bunch from Siemens), a few researcher reports and exploits.
ABB Advisories
ABB published an advisory that discusses two vulnerabilities in their Relion 630 Series Protection Relays. These are third-party (Hitachi Energy) vulnerabilities. ABB has new versions that mitigate the vulnerabilities
The two reported vulnerabilities are:
Improper resource shutdown or release - CVE-2022-3353, and
Improper validation of specified quantity in input - CVE-2023-4518
NOTE: The first vulnerability was reported in a number of Hitachi Energy products in 2023, see here for example.
ABB published an advisory that describes a NULL pointer dereference vulnerability in their RobotWare 6 product. ABB has new versions that mitigate the vulnerability.
FortiGuard Advisories
FortiGuard published an advisory that describes an incorrect type conversion or cast vulnerability in their FortiOS and FortiProxy products. The vulnerability was reported by Tim Yu from Bell Canada. FortiGuard has new versions that mitigate the vulnerability.
FortiGuard published an advisory that describes a use of externally-controlled format string vulnerability in their FortiAnalyzer product. FortiGuard has new versions that mitigate the vulnerability.
Hitachi Advisory
Hitachi published an advisory that discusses 30 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities. Hitachi has new versions that mitigate the vulnerabilities.
HP Advisory
HP published an advisory that discusses two out-of-bounds write vulnerabilities in multiple HP products. These are third-party (AMD) vulnerabilities. HP has SoftPaqs that mitigate the vulnerabilities.
HPE Advisories
HPE published an advisory that discusses an improper check for unusual or exceptional conditions vulnerability in their HPE ProLiant DL/ML, Synergy, Alletra, and Edgeline Servers. This is a third-party (Intel) vulnerability. HPE has a new BIOS firmware version that mitigates the vulnerability.
HPE published an advisory that discusses four vulnerabilities (one with publicly available exploits) in their Unified OSS Console Assurance Monitoring (UOCAM) product. These are third-party vulnerabilities. HPE has a new version that mitigates the vulnerability.
The four reported vulnerabilities are:
Server-side request forgery - CVE-2024-39338 (exploit),
Improper access control (2) - CVE-2024-22020 and CVE-2024-22018, and
Privilege escalation - CVE-2024-36137, and
Moxa Advisories
Moxa published an advisory that discusses a use-after-free vulnerability (that is listed in CISA’s Known Exploited Vulnerabilities catalog) in multiple Moxa products. Moxa has patches or updates for most of the affected products that mitigate the vulnerability.
Moxa published an advisory that discusses the regreSSHion vulnerability. Moxa provides a list of affected products and fixes for the vulnerability.
Palo Alto Networks Advisories
Palo Alto Networks published an advisory that describes an improper privilege management vulnerability in their PAN-OS products. The vulnerability was reported by an unnamed external reporter. Palo Alto Networks has new versions that mitigate the vulnerability.
Palo Alto Networks published an advisory that describes an execution with unnecessary privileges vulnerability in their GlobalProtect applications. The vulnerability was reported by Michael Baer of SEC Consult Vulnerability Lab and Marc Barrantes of KPMG Spain; the SEC Consult report includes proof-of-concept code. Palo Alto Networks has a new version for one of the affected products that mitigates the vulnerability.
Palo Alto Networks published an advisory that describes an exposure of sensitive information to an unauthorized control sphere vulnerability in their Cortex XSOAR product. The vulnerability was reported by Bobby Roos of Kyndryl CSIRT. Palo Alto Networks has a new version that mitigates the vulnerability.
Palo Alto Networks published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their Cortex XDR Agent. The vulnerability was reported by Orange Cyberdefense. Palo Alto Networks has new versions that mitigate the vulnerability.
Palo Alto Networks published an advisory that describes an out-of-bounds write vulnerability in their PAN-OS product. Palo Alto Networks has a new version that mitigates the vulnerability.
Palo Alto Networks published an advisory that discusses 15 vulnerabilities in their Prisma Access Browser. These are third-party (Chromium) vulnerabilities. Palo Alto Networks has a new version that mitigates the vulnerabilities.
Palo Alto Networks published an advisory that describes five vulnerabilities (three with publicly available exploits) in their Expedition product. The vulnerabilities were reported by Zach Hanley of Horizon3.ai; the report includes proof-of-concept code. Palo Alto Networks has a new version that mitigates the vulnerability.
The five reported vulnerabilities are:
OS command injection (2) - CVE-2024-9463 and CVE-2024-9464,
SQL injection - CVE-2024-9465,
Insertion of sensitive information into a log file - CVE-2024-9466, and
Cross-site scripting - CVE-2024-9467
PEPPERL+FUCHS Advisory
CERT-VDE published an advisory that discusses the RegreSSHion vulnerability. They provide a list of affected products and fixes.
Phoenix Contact Advisory
Phoenix Contact published an advisory that discusses three vulnerabilities in their PLCnext Engineer product. These are third-party vulnerabilities. Phoenix Contact has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Uncontrolled resource consumption - CVE-2024-30105,
Allocation of resources without limit or throttling - CVE-2024-33862, and
Improper input validation - CVE-2024-38095
Schneider Advisories
Schneider published an advisory that describes two vulnerabilities in their Data Center Expert product. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability.
The two reported vulnerabilities are:
Improper verification of cryptographic signature - CVE-2024-8531, and
Missing authentication for critical function - CVE-2024-8530
Schneider published an advisory that discusses multiple vulnerabilities in their Harmony iPC – HMIBSC IIoT Edge Box Core family products operating system. These are third-party (Yocto OS) vulnerabilities. Schneider provides generic mitigation measures.
NOTE: This is an odd way for Schneider to deal with third-party vulnerabilities, so here is their description:
“The third-party Yocto OS (v2.1 Krogoth) is used in the HMIBSC offer. It is known to contain multiple high and critical risk vulnerabilities. Schneider Electric cannot update the OS on the HMIBSC due to its hardware limitations and cannot provide further security updates to our customers.”
Schneider published an advisory that describes an improper privilege management vulnerability in their Easergy Studio product. The vulnerability was reported by Charit Misra of Applied Risk. Schneider has a new version that mitigates the vulnerability.
Schneider published an advisory that describes a clear-text storage of sensitive information vulnerability in their EVlink Home Smart and Schneider Charge products. The vulnerability was reported by SIMON PETITJEAN. Schneider has already deployed a fix for these products.
Schneider published an advisory that describes a deserialization of untrusted data vulnerability in their EcoStruxure Power Monitoring Expert product. Schneider has a hot fix that mitigates this vulnerability in one of the affected products; the other affected products are end-of-life and will not be fixed.
Schneider published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Harmony and Pro-face PS5000 Legacy Industrial PCs. Schneider recommends that customers uninstall the affected component (System Monitor application).
Schneider published an advisory that discusses multiple vulnerabilities in their EcoStruxure EV Charging Expert products operating system. These are third-party (Yocto OS) vulnerabilities. Schneider provides generic mitigation measures.
NOTE: See the Harmony iPC advisory above.