Tuesday, June 8, 2021

Review - 14 Advisories Published – 6-8-21

Today CISA’s NCCIC-ICS published fourteen control system security advisories for products from Siemens (8), Thales, Schneider Electric (2), AVEVA, Open Design Alliance, and Johnson Controls. NCCIC-ICS also published ten updates today, they will be addressed in a separate blog post tomorrow.

Siemens Advisories

• JT2Go Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens JT2Go and Teamcenter Visualization products.

• SIMATIC Advisory #1 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC RF Products.

• Simcenter Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap products.

• SIMATIC Advisory #2 - This advisory describes fifteen vulnerabilities in the Siemens SIMATIC NET CP 443-1 OPC UA product.

• SIMATIC Advisory #3 - This advisory describes two vulnerabilities in the Siemens SIMATIC TIM 1531 IRC.

• Solid Edge Advisory - This advisory describes two out-of-bounds write vulnerability in the Siemens Solid Edge products.

• TIM Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens TIM 1531 IRC.

• Mendix Advisory - This advisory describes an insufficient verification of data authenticity vulnerability in the Siemens Mendix SAML Module.

Thales Advisory

This advisory describes an incomplete cleanup vulnerability in the Thales Sentinel LDK Run-Time Environment (RTE).

Schneider Advisories

Modicon Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider Modicon X80 product

IGSS Advisory - This advisory describes thirteen vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS).

NOTE: Schneider published four additional advisories today. If they are not addressed by NCCIC-ICS on Thursday, I will discuss them in my Public ICS Disclosure post this weekend.

AVEVA Advisory

This advisory describes a clear-text storage of sensitive information in memory vulnerability in the AVEVA InTouch 2020 R2 product.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

ODA Advisory

This advisory describes eight vulnerabilities in the ODA Drawings SDK product.

Johnson Controls Advisory

This advisory describes an improper privilege management vulnerability in the Johnson Controls Metasys Servers, Engines, and Tools.

NOTE: I briefly discussed (subscription required) this vulnerability last Saturday in my Public ICS Disclosure post.

For a more detailed discussion of these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-published-6-8-21. Subscription required.

Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */