Public ICS Disclosures – Week of 7-29-23

Part 2

For Part 2 we have eight vendor updates for products from Broadcom (2), Fujitsu, Mitsubishi (2), Moxa (2), and Omron. Finally, we have 24 researcher reports for vulnerabilities in products from Inductive Automation (4), Triangle MicroWorks (12), and ZKTeco (8).

Broadcom Updates

Broadcom published an update for their Apache httpd advisory that was originally published on September 13^th, 2022. The new information includes:

• Updating vulnerability description, and

• Adding fix for Fabric OS v9.2.0

Broadcom published an update for their follow-redirects advisory that was originally published on September 13^th, 2023. The new information includes adding update for Brocade Fabric OS: v9.1.1 and v9.2.0 to remove the vulnerable components from the FOS binary.

Fujitsu Update

JP-CERT published an update for their Si-R series advisory that was originally published on July 26^th, 2023. The new information includes updating fixed version information.

Mitsubishi Updates

Mitsubishi published an update for their Genisis64 advisory that was originally published on July 19^th, 2023 and most recently updated on February 9^th, 2023. The new information includes adding fix for GENESIS64TM Version 10.97.

Mitsubishi published an update for their Genisis64 advisory that was originally published on December 13^th, 2022 and most recently updated on February 9^th, 2023. The new  information includes updating fix information for GENESIS64TM Version 10.97.

Moxa Updates

Moxa published an update for their NPort 5110 Series advisory that was originally published on June 10^th, 2022 and most recently updated on July 28^th, 2023. The new information includes:

• Adding NPort 5200A Series to the list of affected product, and

• Adding CVE numbers

NOTE: CISA has not updated their advisory (ICSA-22-207-04) for this new information.

Moxa published an update for their multiple switch series advisory that was originally published on June 14^th, 2023 and most recently updated on July 7^th, 2023. The new information includes:

• Adding PT-G7828 Series to the list of affected products, and

• Adding PT-G7828 Series to the list of confirmed not affected products.

Omron Update

Omron published an update for their CX-Drive advisory that was originally published on April 24^th, 2023. The new information includes adding affected product version numbers.

Inductive Automaton Reports

The Zero Day Initiative published four reports of individual vulnerabilities in the Inductive Automation Ignition product. The vulnerabilities were exploited in a Pwn2Own competition. This is a coordinated disclosure and Inductive automation has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Cross-site scripting - CVE-2023-38121,

• Cross domain policy - CVE-2023-38122,

• Missing authentication for critical function - CVE-2023-38123, and

• Exposed dangerous function - CVE-2023-38124

Triangle MicroWorks Reports

The ZDI published 12 reports of individual vulnerabilities in the Triangle MicroWorks SCADA Gateway product. These are coordinated disclosures and Triangle MicroWorks has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Missing authentication (2) - CVE-2023-39457 (exploited in Pwn2Own competition) and CVE-2023-39466,

• Hard coded credentials - CVE-2023-39458 (exploited in Pwn2Own competition),

• Directory traversal - CVE-2023-39459, CVE-2023-39460 (exploited in Pwn2Own competition),

• Improper output neutralization - CVE-2023-39461 (exploited in Pwn2Own competition),

• Unrestricted upload of file with dangerous type (2) - CVE-2023-39462 (exploited in Pwn2Own competition) and CVE-2023-39463 (exploited in Pwn2Own competition),

• Unquoted search path - CVE-2023-39464 (exploited in Pwn2Own competition),

• Hard coded cryptographic key - CVE-2023-39465,

• Information disclosure - CVE-2023-39467, and

• Exposed dangerous function - CVE-2023-39468

ZKTeco Reports

Claroty published four reports for individual vulnerabilities in the ZKTeco BioAccess product. There is no indication that this is a coordinated disclosure.

The four reported vulnerabilities are:

• Inadequate access controls - CVE-2023-38958,

• Path traversal - CVE-2023-38956,

• SQL injection - CVE-2023-38954, and

• Sensitive information disclosure - CVE-2023-38955

Claroty published four reports for individual vulnerabilities in the ZKTeco BioTime product. There is no indication that this is a coordinated disclosure.

The four reported vulnerabilities are:

• Inadequate access controls - CVE-2023-38952,

• Path traversal (2) - CVE-2023-38951 an CVE-2023-38950, and

• Inadequate password protection - CVE-2023-38949

NOTE: Claroty is typically very diligent in coordinating with vendors before disclosing vulnerabilities. I suspect that there may have been less than adequate response from ZKTeco, especially since their PSIRT page has no mention of these vulnerabilities.