Review – Public ICS Disclosures – Week of 1-28-23
This week we have twelve vendor disclosures from BaiCells, B&R,
Hitachi, HP, HPE, JTEKT Electronics, Moxa, Pulse Secure (2), QNAP, and VMware
(2). There is also a vendor update from VMware. Finally, we have two researcher
reports for products from Sierra Wireless and describing vulnerabilities in the
Open Charge Point Protocol for electric vehicle charging stations.
BaiCells Advisory – BaiCells published an
advisory that describes a use of hard-coded credentials vulnerability in
their Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices.
B&R Advisory – B&R published an
advisory that describes five vulnerabilities in their ARPOL database.
Hitachi Advisory – Hitachi published an
advisory that discusses 60 vulnerabilities in their Disk Array Systems.
HP Advisory – HP published an
advisory that describes an escalation of privilege vulnerabilities in their
Factory Preinstalled Images.
HPE Advisory – HPE published an
advisory that discusses a use-after-free vulnerability in their HPE OneView.
JTEKT Advisory – JP CERT published an advisory that
describes seven vulnerabilities in the JTEKT Screen Creator Advance product.
Moxa Advisory – Moxa published an
advisory that describes six vulnerabilities in their SDS-3008 Series web
Pulse Secure Advisory #1 – Pulse Secure published an
advisory that discusses four OpenSSL vulnerabilities.
Pulse Secure Advisory #2 – Pulse Secure published an
advisory that describes a cross-site request forgery vulnerability in their
Pulse Connect Secure.
QNAP Advisory – QNAP published an advisory
that describes an SQL injection vulnerability in their QTS or QuTS hero
VMware Advisory #1 – VMware published an advisory
that describes a cross-site request forgery bypass vulnerability in their vRealize
VMware Advisory #2 – VMware published an advisory
that describes an arbitrary file deletion vulnerability in their VMware
VMware Update – VMware published an update
for their vRealize Log Insight advisory that was originally published on
January 24th, 2023.
Sierra Wireless Report – Otorio published a report describing two vulnerabilities
in the Sierra Wireless AirLink products. The report contains proof-of-concept
OCPP Report – SaiFlow published a
report describing two vulnerabilities in the WebSocket communications used
by the Open Charge Point Protocol (OCPP).
For more details about these disclosures, including links to
researcher reports and exploits, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-768
– subscription required.