Public ICS Disclosures – Week of 6-8-24 - Part 2

For Part 2 we have nine additional vendor disclosures from Schneider Electric (5), Siemens, VMware, Western Digital, and ZKTeco. We also have 28 vendor updates from HP (13), Schneider (2), and Siemens (13). In Part 3 we will look at researcher reports and exploits.

Schneider Advisories

Schneider published an advisory that describes a files or directories accessible to external parties vulnerability in their Modicon M340 and BMXNOE0100 and BMXNOE0110 products. The vulnerability was reported by Yanis Wang of DAS-Security. Schneider provides generic mitigation measures pending development of a fix.

Schneider published an advisory that describes a use of broken or risky cryptographic algorithm vulnerability. Schneider provides generic mitigation measures pending development of a fix.

Schneider published an advisory that describes an exposure of resource to wrong sphere vulnerability in their EVlink Home Smart product. The vulnerability was reported by Simon Petitjean. Schneider has a new version that mitigates the vulnerability. There is no indication that Petitjean has been provide an opportunity to verify the efficacy of the fix.

Schneider published an advisory that describes a TOCTOU race condition in their SpaceLogic AS-P and AS-B products. The vulnerabilities were reported by Sharon Brizinov of Claroty. Schneider has a new version that mitigates the vulnerability. There is no indication that Sharon has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory that describes six vulnerabilities in their SAGE RTU products. The vulnerabilities were reported by Marlon Schumacher, Alex Armstrong, and Vishal Madipadga. Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Out-of-bounds write - CVE-2024-37036,

• Path traversal - CVE-2024-37037,

• Incorrect default permissions - CVE-2024-37038,

• Unchecked return value - CVE-2024-37039,

• Classic buffer overflow - CVE-2024-37040, and

• Out-of-bounds read - CVE-2024-5560

Siemens Advisory

Siemens published an advisory that describes an incorrect type conversion or cast vulnerability in their Tecnomatix Plant Simulation product. The vulnerability was reported by the Zero Day Initiative. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

VMware Advisory

VMware published an advisory that describes three vulnerabilities in their SD-WAN Edge and SD-WAN Orchestrator products. The vulnerabilities were reported by Saif Aziz and Abdelrahman Adel of CyShield. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Command injection - CVE-2024-22246,

• Missing authentication - CVE-2024-22247, and

• Open redirect - CVE-2024-22248

NOTE: The VMware advisories have morphed to a blend of their style and the Broadcom style. Fortunately, the important parts (vulnerability and fix information) of the VMware style remain. Broadcom should consider using this blended style for their advisories.

Western Digital Advisory

Western Digital published an advisory that describes a cross-site scripting vulnerability in multiple Western Digital products. The vulnerability was reported by Jay Mehta. Western Digital has a new version that mitigates the vulnerability. There is no indication that Mehta has been provided an opportunity to verify the efficacy of the fix.

ZKTeco Advisory

ZKTeco published an advisory that announced that they had a firmware update that “addresses minor vulnerabilities identified in certain models of our standalone terminals”. No details about those ‘minor vulnerabilities’ are available.

HP Updates

HP published an update for their Aruba 9200 and 9000 Series Controllers advisory that was originally published on September 6^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba ClearPass Policy Manager advisory that was originally published on October 24^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba AirWave Management Platform advisory that was originally published on October 17^th, 2023 and most recently updated on October 23^rd, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their ArubaOS-Switch Switches advisory that was originally published on August 29^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba EdgeConnect SD-WAN Orchestrator advisory that was originally published on August 22^nd, 2023 and most recently updated on October 3^rd, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba Networking Virtual Intranet Access advisory that was originally published on August 15^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba CX Switches advisory that was originally published on August 1^st, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba Access Points advisory that was originally published on July 25^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their ArubaOS advisory that was originally published on July 11^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba EdgeConnect Enterprise advisory that was originally published on May 24^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba Access Points advisory that was originally published on May 9^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their Aruba Bypassing Wi-Fi Encryption advisory that was originally published on April 4^th, 2023, and most recently updated on April 6^th, 2023. The new information includes updating HPE and CSAF links for webpage conversion.

HP published an update for their ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers advisory that was originally published on April 2^nd, 2024 and most recently updated on June 3^rd, 2024. The new information includes adding CVE-2021-38578, buffer underflow, 3^rd party (Tianocore).

Schneider Updates

Schneider published an update for their CODESYS Runtime advisory that was originally published on July 11^th, 2023, and most recently updated on April 9^th, 2024. The new information includes adding Easy Modicon M310 to the list of affected products.

Schneider published an update for their Easy UPS advisory that was originally published on April 11^th, 2023, and most recently updated on June 13^th, 2023. The new information includes:

• Updating the vulnerability description for CVE-2023-29412, and

• Updating the remediation instructions

Siemens Updates

Siemens published an update for their SICAM Products advisory that was originally published on May 14^th, 2024. The new information includes adding Constantin Schieber-Knöbl and Stefan Viehböck to the acknowledgment.

Siemens published an update for their RUGGEDCOM APE1808 advisory that was originally published on March 12^th, 2024, and most recently updated on May 14^th, 2024. The new information includes adding newly published upstream CVEs CVE-2023-45586, CVE-2024-26007, CVE-2023-36640, CVE-2023-45583, CVE-2023-44247, CVE-2023-46714.

Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 13^th, 2024, and most recently updated on April 9^th, 2024. The new information includes:

Adding fix for SIMATIC WinCC Runtime Professional V19, and

Adding corrected fix version of WinCC V8.0 from SP4 to Update4

Siemens published an update for their OPC UA Implementations advisory that was originally published on September 12^th, 2023, and most recently updated on May 14^th, 2024. The new information includes adding fix for SIMATIC WinCC Runtime Professional V19.

Siemens published an update for their Profinet Devices advisory that was originally published on July 13^th, 2021, and most recently updated on April 12^th, 2024. The new information includes:

• Adding fix for SIMATIC CFU PA/DIQ, and

• Announcing fix planned for SIMATIC IE/PB-LINK

Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 11^th, 2023, and most recently updated on May 9^th, 2023. The new information includes adding fixes for SIMATIC CP 15xxSP-1 devices.

Siemens published an update for their n S7-1500 CPU Devices advisory that was originally published on January 10^th, 2023, and most recently updated on December 12^th, 2023. The new information includes adding information about additional new S7-1500 hardware versions: SIMATIC S7-1500 CPU 1511C-1 PN, SIMATIC S7-1500 CPU 1512C-1 PN.

Siemens published an update for their PROFINET Stack advisory that was originally published on April 12^th, 2022, and most recently updated on May 14^th, 2024. The new information includes adding fix for SINAMICS S210, SIMATIC CFU DIQ and SIMATIC CFU PA.

Siemens published an update for their Parasolid and Teamcenter Visualization advisory that was originally published on August 8^th, 2023, and most recently updated on November 14^th, 2023. The new information includes:

• Correcting error regarding fix information for CVE-2023-38527, CVE-2023-38529band CVE-2023-38531 for Teamcenter Visualization V14.1, Teamcenter Visualization V14.2 and Teamcenter Visualization V14.3,

• Adding Teamcenter Visualization V2312,

• Correcting CVSSv3.1 vector of CVE-2023-38532, and

• Adding CVSSv4.0 vector to all CVEs.

Siemens published an update for their GNU/Linux Subsystem advisory that was originally published on December 12^th, 2023, and most recently updated on May 14^th, 2024. The new information includes adding CVE-2024-2961, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602, CVE-2024-34459

Siemens published an update for their SCALANCE XB-200 advisory that was originally published on March 12^th, 2024. The new information includes clarifying that currently no fix planned.

Siemens published an update for their SIMATIC RTLS advisory that was originally published on May 14^th, 2024. The new information includes adding specific mitigation for CVE-2024-30207

Siemens published an update for their SICAM PAS/PQS advisory that was originally published on October 10^th, 2023. The new information includes adding fix release for SICAM PAS/PQS for CVE-2023-38640.