This week we have eight public disclosures from Bosch,
Carestream, ENDRESS+HAUSER, Dell, Draeger, GE Healthcare, Pulse Secure, and
VMWare. An update is available for products from Rockwell. There is an
end-of-life notice from Honeywell. Finally, there is an exploit for products
from VMware.

Bosch Advisory

Bosch published an
advisory
describing a side-channel key extraction vulnerability in the
Bosch cameras and encoders built on platforms CPP-ENC, CPP3, CPP4, CPP5, CPP6,
CPP7 and CPP7.3.  This is a third-party
vulnerability (NXP).
Since this is a chip-based vulnerability, Bosch is only able to provide generic
workarounds. The original NinjaLab report on the NXP vulnerability contains
proof-of-concept code.

NOTE: This third-party vulnerability was
reported earlier
in products from Rockwell, other vendors will probably
also be affected.

Carestream Advisory

Carestream published an
advisory
discussing the Google
heap-based buffer overflow
vulnerability. Carestream provides a list of
affected and unaffected products. Carestream will update Chrome in the next
product release for the affected products.

ENDRESS+HAUSER Advisory

CERT-VDE published an advisory
discussing the fdtCONTAINER vulnerability
in a number of their products. ENDRESS+HAUSER provides generic workarounds
pending development of appropriate mitigation measures in future versions of
the product.

Dell Advisory

Dell published an
advisory
describing two vulnerabilities in their EMC OpenManage Server
Administrator. The vulnerabilities were reported by David Yesland from Rhino
Security Labs and Tenable. Dell
has new versions that mitigate the vulnerabilities. There is no indication that
the researchers have been provided an opportunity to verify the efficacy of the
fix.

The two reported vulnerabilities are:

• Authentication bypass – CVE-2021-21513,
and

• Path traversal – CVE-2021-21514

NOTE: The Tenable report contains proof-of-concept code for
the

Draeger Advisory

Draeger published an
advisory
describing an out-of-bounds write vulnerability in their CC-Vision
Basic and CC-Vision E-Cal Software. The vulnerability was reported by Mario
Ceballos. Draeger had new versions that mitigate the vulnerability. There is no
indication that Ceballos has been provided an opportunity to verify the
efficacy of the fix.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing the
Microsoft Windows TCP/IP
vulnerabilities
. GE Healthcare reports that they are actively assessing
products to see if they are affected.

Pulse Secure Advisory

Pulse Secure has published an
advisory
discussing the Trickboot
vulnerability in their PSA-Series Hardware. Pulse Secure has a BIOS patch available
that mitigates the vulnerability.

VMWare Advisory

VMWare published an
advisory
describing a remote code execution vulnerability in their View
Planner product. The vulnerability was reported by Mikhail Klyuchnikov of
Positive Technologies. VMware has a security patch that mitigates the
vulnerability. There is no indication that Klyuchnikov has been provided an
opportunity to verify the efficacy of the fix.

Rockwell Update

Rockwell published an
update
for their Logix Controllers advisory that was originally
published
on February 25th, 2021. The advisory was re-written
for clarity.

NOTE: I suspect the NCCIC-ICS will update their advisory
on this vulnerability this coming week.

Honeywell EOL Notice

Honeywell published an end-of-life
notice
for their Pro-Watch 4.3 and Pro-Watch 4.35 products. The products will
no longer be supported after September 30th, 2021.

VMWare Exploit

Photubias published an exploit for an unauthenticated
file upload vulnerability in the VMware vCenter Server 7.0. The vulnerability
was previously
reported
by VMWare.

Go to Source of this post
Author Of this post: PJCoyle

By admin