Review - 7 Advisories Published – 10-7-21

Today CISA’s NCCIC-ICS published seven control system security advisories for products from FATEK Automation (2), InHand Networks, Mitsubishi Electric, Johnson Controls (2), Mobile Industrial Robots

FATEK Advisory #1 - This advisory describes a stack-based buffer overflow vulnerability in the FATEK Communication Server.

FATEK Advisory #2 - This advisory describes seven vulnerabilities in the FATEK WinProladder.

InHand Advisory - This advisory describes 13 vulnerabilities in the In Hand IR615 Router.

Mitsubishi Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Mitisubishi MELSEC iQ-R Series C Controller Module R12CCPU-V.

Johnson Controls Advisory #1 - This advisory describes an integer overflow or wraparound vulnerability in the Johnson Controls exacqVision Server 32-bit.

Johnson Controls Advisory #2 - This advisory describes an improper privilege management vulnerability in the Johnson Controls exacqVision Server Bundle.

Mobile Industrial Robots - This advisory describes ten vulnerabilities in the MiR MiR100, MiR200, MiR250, MiR500, MiR1000, MiR Fleet products.

NOTE: NCCIC-ICS reports that both FATEK and InHand have failed to cooperate with the vulnerability mitigation coordination activities of the agency.

For more details about the advisories, including lots of information (including exploit links) about the Mobile Industrial Robots advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-published-10-7-21 - subscription required.