Review - Public ICS Disclosures – Week of 9-11-21 – Part 2

This week we have five vendor disclosures from Siemens (3) and Schneider (2). We also have eight vendor updates from Siemens (5) and Schneider (3).

Siemens Advisory #1 - Siemens published an advisory describing an out-of-bounds write vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.

Siemens Advisory #2 - Siemens published an advisory describing three vulnerabilities in their SCALANCE X-200 and X-300/X408 switch families.

Siemens Advisory #3 - Siemens published an advisory describing three vulnerabilities in their Teamcenter digital twin simulator. (NCCIC-ICS corrected their duplicate advisory - ICSA-21-257-08 - to reflect these vulnerabilities without notice)

Schneider Advisory #1 - Schneider published an advisory describing three vulnerabilities on their web server for multiple products.

Schneider Advisory #2 - Schneider published an advisory describing an insufficiently protected credentials vulnerability in their Conext™ ComBox product.

Siemens Update #1 - Siemens published an update for their GNU/Linux subsystem advisory that was  originally published in 2018 and most recently updated on August 10^th, 2021.

Siemens Update #2 - Siemens published an update for their WIBU Systems CodeMeter advisory that was originally published on July 13^th, 2021.

Siemens Update #3 - Siemens published an update for their SINEC NMS advisory that was originally published on August 10^th, 2021. (The related NCCIC-ICS advisory - ICSA-21-222-04 - was not updated).

Siemens Update #4 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on August 10^th, 2021.

Siemens Update #5 - Siemens published an update of their INFRA:HALT advisory that was originally published on August 4^th, 2021.

Schneider Update #1 - Schneider published an update for the C-Bus Toolkit advisory that was originally published on April 15, 2021 and most recently updated on June 8^th, 2021. (The related NCCIC-ICS advisory -  ICSA-21-105-01 – was not updated)

Schneider Update #2 - Schneider published an update for their ISaGRAF advisory that was originally published on June 8^th, 2021.

Schneider Update #3 - Schneider published an update for the Treck TCP/IPv6 advisory that was originally reported on December 18th, 2020, and most recently updated on August 10^th, 2021.

Commentary

On Tuesday, I reported that NCCIC-ICS advisory ICSA-21-257-08 was a duplicate of another Siemens Teamcenter advisory published by NCCI-ICS the same day. Today I went back and checked that advisory and NCCIC-ICS has corrected that duplication and covered these three Teamcenter vulnerabilities that I described today in that advisory. That update of ICSA-21-257-08 (dated September 16^th) was not announced on either the CISA Industrial Control Systems or the ICS Archive web pages. NCCIC-ICS did not acknowledge the extent of the change on the document nor list the revised advisory as Version A.

In the flood of information that was available on Tuesday it was certainly understandable that mistakes could happen. No one is perfect. But correcting a mistake, especially a mistake of this magnitude, without public announcement is unforgivable and it cheapens the valuable work being done by NCCIC-ICS.

For more details on these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9 - subscription required.