We have eight vendor notifications about the CodeMeter vulnerabilities reported earlier this week by NCCIC-ICS from Phoenix Contact, PEPPERL+FUCHS, WAGO, ABB, and Pilz. We also have four vendor notification from Schneider, Moxa, Medtronic, and BD. There is a vendor update from Mitsubishi. We have a researcher report of 0-day vulnerabilities for products from Fuji Electric.
CodeMeter Advisories
Phoenix Contact published an advisory for the CodeMeter vulnerabilities. They listed their affected products and announced a new version of their Activation Wizard that mitigates the vulnerabilities.
VDE-CERT published an advisory for the CodeMeter vulnerabilities in products from PEPPERL+FUCHS. It provides a list of affected products and recommends implementing the WIBU Systems update.
VDE-CERT published an advisory for the CodeMeter vulnerabilities in products from WAGO. It reports that the e!COCKPIT engineering software is bundled with the CodeMeter software. VDE-CERT notes that WAGO will update their e!COCKPIT setup routine later this year.
ABB published four CodeMeter advisories for the following products:
• Ability™
Operations Data Management zenon, and
Pilz published an advisory for the CodeMeter vulnerabilities. It provides a list of affected products and recommends using the current version of CodeMeter.
Schneider Advisory
Schneider published an advisory describing five vulnerabilities in their SCADAPack remote connect and security administrator applications. The vulnerabilities were reported by Amir Preminger of Claroty. Schneider has new versions that mitigate the vulnerabilities. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.
The five reported vulnerabilities are:
• Deserialization of untrusted data
- CVE-2020-7528 and CVE-2020-7532,
• Path transversal - CVE-2020-7529,
• Improper authorization - CVE-2020-7530,
and
• Improper access control - CVE-2020-7531
Moxa Advisory
Moxa published an advisory for the BootHole vulnerability. Moxa reports that none of its products are affected.
Medtronic Advisory
Medtronic published an advisory describing the SweynTooth vulnerabilities in a number of their products. Medtronic reports that they remediated these vulnerabilities when they did their software update in June 2020.
BD Advisory
BD published an advisory describing the SigRed vulnerabilities in a number of their products. BD recommends ensuring that the appropriate Microsoft® patches have been applied.
Mitsubishi Update
Mitsubishi published an update for their MC Works advisory that was originally published on June 18th, 2020. The new information includes links for security patches for MC Works64 Version 4.00A - 4.02C.
Fuji Electric Reports
Kimiya published 14 reports (ZDI-20-1103 thru ZDI-20-1117) of vulnerabilities in the Fuji Electric Tellus Lite product. The vulnerabilities were reported to ‘ICS-CERT’ (presumably, NCCIC-ICS) by the Zero Day Initiative back in April.
The vulnerabilities include:
• Stack-based buffer overflow,
• Out-of-bounds write, and
• Out-of-bounds read
Posts
No comments:
Post a Comment