Review - Public ICS Disclosure – Week of 8-7-21 – Part 2

This week we have ten vendor disclosures from Siemens (2) and Schneider (8). We also have nine vendor updates from Siemens (3) and Schneider (6).

Siemens Advisories

Siemens published an advisory describing an uncontrolled resource consumption vulnerability in their Automation License Manager software.

Siemens published an advisory describing an incorrect authorization vulnerability in their Industrial Products.

Schneider Advisories

Schneider published an advisory describing an improper limitation of a path name to a restricted directory vulnerability in their Harmony HMI Products.

Schneider published an advisory describing 12 vulnerabilities in their EcoStruxure Control Expert,

EcoStruxure Process Expert and SCADAPack RemoteConnect for x70 products.

Schneider published an advisory describing an uncontrolled search path element vulnerability in their s Pro-face GP-Pro EX HMI screen editor & logic programming software.

Schneider published an advisory describing four vulnerabilities in their Modicon PAC Controllers and PLC simulator.

Schneider published an advisory describing an exposure of sensitive data to an unauthorized actor vulnerability in their AccuSine PCSn, PCS+ and PFV+ products.

Schneider published an advisory describing three vulnerabilities in their Programmable Automation Controller (PacDrive) M products.

Schneider published an advisory describing two vulnerabilities in their NTZ Mekhanotronika Rus. LLC control panels.

Schneider published an advisory describing a remote code execution vulnerability in their NTZ

Mekhanotronika Rus. LLC SHFK-MT-104 control panels.

Siemens Updates

Siemens published an update to their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on July 13^th, 2021.

Siemens published an update to their OpenSSL advisory that was originally reported on July 13^th, 2021.

Schneider Updates

Schneider published an update for their Embedded Web Server advisory that was originally reported on June 8^th, 2021.

Schneider published an update for their Treck HTTP Server Vulnerability that was originally reported on December 18^th, 2020.

Schneider published an update for their Treck TCP/IPv6 Vulnerabilities advisory advisory that was originally published on December 18th, 2020 and most recently updated on July 13^th, 2021.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on December 8^th, 2020.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on December 8^th, 2020.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on November 10^th, 2020.

 

For more details on the advisories and updates, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-8-7 - subscription required.