Public ICS Disclosures – Week of 11-26-22
This week we have one OpenSSL 3.0 vendor advisory from Eaton. There are fourteen other vendor advisories from Aruba Networks, Broadcom, Carrier, CODESYS, Festo (2), Hitachi, Honeywell (2), HPE, Moxa (2), Rockwell Automation, and VMware. We also have two vendor updates from ABB and HPE. There are also three researcher reports for products from Festo and Delta Electronics (2). Finally, we have an exploit for products from Belden.
OpenSSL 3.0 Advisories
Eaton published an OpenSSL 3.0 advisory. Eaton reports that none of their products are affected.
Aruba Advisory
Aruba published an advisory that describes three broken access control vulnerabilities in their AirWave Management Platform. The vulnerabilities were reported by Oussama Sadouki and Colton Bachman. Aruba has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
Broadcom Advisory
Broadcom published an advisory that discusses two vulnerabilities in their Active Support Connectivity Gateway. These are third-party (grub2) vulnerabilities. Broadcom is investigating the vulnerabilities.
The two reported vulnerabilities are:
Out-of-bounds write - CVE-2022-2601 and CVE-2022-3775
Carrier Advisory
Carrier published an advisory that discusses an improper authentication vulnerability in their LenelS2’s OnGuard product. This is a fourth-party (erlang) vulnerability in a third-party (RabbitMQ) component. Carrier has a new version that mitigates the vulnerability.
CODESYS Advisory
CODESYS published an advisory that describes an inadequate encryption strength vulnerability in their V3 boot application. The vulnerability was reported by Abdelrahman Hassanien and Jos Wetzels, Forescout Technologies. CODESYS has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
Festo Advisories
CERT-VDE published an advisory that discusses two vulnerabilities in multiple Festo products. These are third-party (CODESYS) vulnerabilities. The vulnerabilities were reported by Daniel dos Santos, Rob Hulsebos from Forescout. Festo provides generic mitigation measures.
The two reported vulnerabilities are:
Insecure default initialization of resource - CVE-2022-31806, and
Exposure of resource to wrong sphere - CVE-2022-22515
CERT-VDE published an advisory that describes an insufficient technical documentation vulnerability in multiple Festo products. The vulnerability was reported by Daniel dos Santos, Rob Hulsebos from Forescout. Festo provides generic mitigation measures pending publication of new documentation documents.
Hitachi Advisory
Hitachi published an advisory that discusses 36 vulnerabilities in their Disk Array products. These are third-party (Microsoft) vulnerabilities. Hitachi has updates that mitigate the vulnerabilities.
Honeywell Advisories
Honeywell published an end-of-life notice for their V-Plex Dual Tech Motion Sensor.
Honeywell published an end-of-life notice for their Pro-Watch® 4.5 product effective May 31st, 2023.
HPE Advisory
HPE published an advisory that discusses five vulnerabilities in their UX Apache Web Server. These are third-party (Apache) vulnerabilities. HPE has new versions that mitigate the vulnerabilities.
The five reported vulnerabilities are:
Insufficient verification of data authenticity - CVE-2022-31813,
Allocation of resources without limit or throttling - CVE-2022-30522,
Integer overflow or wrap around - CVE-2022-28615 and CVE-2022-28614, and
Inconsistent interpretation of HTTP requests - CVE-2022-26377
Moxa Advisories
Moxa published an advisory that describes an improper input validation vulnerability in their Secure Router, EDR and TN Series. The vulnerability was reported by CNCERT. Moxa has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
Moxa published an advisory that describes an improper input validation vulnerability in their Secure Router, EDR and TN Series. The vulnerability was reported by CNCERT. Moxa has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
Rockwell Advisory
Rockwell published an advisory that describes a clear-text transmission of sensitive data vulnerability in their FactoryTalk LiveData Communication Module. The vulnerability was reported by GuidePoint Security (report includes proof-of-concept code). Rockwell provides generic mitigation measures.
NOTE: The GuidePoint post implies that HMI from other vendors have similar problems with insecure communications and that the hacking techniques outlined in the post would be effective against those systems.
VMware Advisory
VMware published an advisory that describes a denial-of-service vulnerability in their Tools for Windows products. The vulnerability was reported by Sergey Kornienko and Wei Lei of PixiePoint Security. VMware has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.
ABB Update
ABB published an update for their Ability zenon, ZEE600, ZEE600C Log Server advisory that was originally published on July 26th, 2022. The new information includes updating patch release version.
HPE Update
HPE published an update for their OneView advisory that was originally published on July 20th, 2022. The new information includes adding 6.6.01 LTS release.
Festo Report
Forescout’s Vedere Labs published an update for their OT:ICEFALL report identifying three new vulnerabilities. In addition to the CODESYS and Festo vulnerabilities described above, they identified another denial- of-service vulnerabilities in products from Festo, which had previously been reported by Festo.
Delta Reports
CyberDanube published a report describing two vulnerabilities in the Delta DX-2100-L1-CN. The report includes proof-of-concept code. This is a coordinated disclosure with Delta reporting firmware patches to mitigate the vulnerabilities
The two reported vulnerabilities are:
Command injection,
Cross-site scripting
CyberDanube published a report describing a command injection vulnerability in the Delta DVW-W02W2-E2. The report includes proof-of-concept code. This is a coordinated disclosure with Delta reporting firmware patches to mitigate the vulnerabilities
Belden Exploit
T Weber published an exploit for a command injection vulnerability in the Hirschmann (Belden) BAT-C2 8.8.1.0R8. The vulnerability was previously reported by Belden.