Finally. We have seven vendor notifications from Schneider Electric. We also have six vendor updates for products from Schneider.
Schneider Advisories
Schneider published an advisory describing a weak password recovery mechanism for forgotten password vulnerability in their Modicon Managed Switch. Schneider has a new version that mitigates the vulnerability.
Schneider published an advisory describing an improper restriction of operations within the bounds of a memory buffer vulnerability in their Harmony HMI Products. The vulnerability was reported by Jie Chen of NSFOCUS. Schneider has a new version that mitigates the vulnerability. There is no indication that Jie has been provided an opportunity to verify the efficacy of the fix.
Schneider published an advisory describing six improper check for unusual or exceptional conditions vulnerabilities in their Triconex Model 3009 Main Processor (MP) and Tricon™ Communication Module (TCM) Models. The vulnerabilities were reported by CNCERT/CC and Kunlun Digital Technology Co. Schneider reports that their engineers will have to fix the affected systems. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
Schneider published an advisory describing nine vulnerabilities in their homeLYnk and spaceLYnk products. The vulnerabilities were reported by Sharon Brizinov of Claroty. Schneider has new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.
The nine reported vulnerabilities are:
• Improper privilege management (2)
- CVE-2021-22732 and CVE-2021-22733,
• Improper verification of cryptographic
signature (2) - CVE-2021-22734 and CVE-2021-22735,
• Path traversal - CVE-2021-22736,
• Insufficiently protected
credentials - CVE-2021-22737,
• Use of broken or risky cryptographic
program - CVE-2021-22738, and
• Information exposure (2) - CVE-2021-22739 and CVE-2021-22740
Schneider published an advisory describing an improper input validation vulnerability in their Modicon M241 & M251 Logic Controllers. The vulnerability was reported by Marcin Dudek, Kinga Staszkiewicz, Jakub Suchorab, Joanna Walkiewicz from National Centre for Nuclear Research Poland. Schneider has new versions that mitigate the vulnerability. There is no indications that the researchers have been provided an opportunity to verify the efficacy of the fix.
Schneider published an advisory discussing six vulnerabilities in a variety of their products. These are third-party (CODESYS) vulnerabilities. Schneider has new versions that mitigate the vulnerabilities.
The six vulnerabilities reported are:
• Buffer overflow - CVE-2020-10245,
• Insufficient verification of data
authenticity – CVE-2020-6081
• Cross-site scripting - CVE-2019-13538,
• Incorrect permission assignment
for critical resource - CVE-2019-9008,
• Improper input validation - CVE-2019-9009,
and
• Uncontrolled resource consumption - CVE-2020-7052,
NOTE: Links to CODESYS advisories. There is no CODESYS advisory listed for CVE-2020-6081 in the NIST database.
Schneider published an advisory describing a use of password hash with insufficient computational effort in their EcoStruxure Geo SCADA Expert products. The vulnerability was reported by Nicholas Hobbs. Schneider has a new version that mitigates the vulnerability. There is no indication that Hobbs has been given an opportunity to verify the efficacy of the fix.
Schneider Updates
Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on April 12th, 2021. The new information includes adding remediation for ZBRCETH Modbus TCP communication module for ZBRN1 Harmony Hub.
Schneider published an update for their Urgent/11 advisory that was originally published on August 2nd, 2019 and most recently updated on October 13th, 2020. The new information includes updating remediations for Modicon M241 Micro PLC and Modicon M251 Micro PLC.
Schneider published an update for their Modicon Controllers advisory was originally published on March 20th, 2020 and most recently updated on November 10th, 2020. The new information includes adding a recommendation for Customers on EcoStruxure™ Control Expert versions prior to V15.0 to upgrade to remediate CVE-2020-7475.
Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on December 8th, 2020. The new information includes adding all versions of BMXNOC0401 to the affected products table.
Schneider published an update for their Web Server on Modicon M580 Controllers that was originally published on October 8th, 2019 and most recently updated on April 15th, 2021. The new information includes announcing that mitigation measures are now available for CVE-2019-6849 on the BMENOC0311.
Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22nd, 2018. The new information includes:
• Updating CVSS scores, and
• Adding Modicon M580 and clarification on Modicon M340 affected products
No comments:
Post a Comment