Review – 9 Advisories Published – 10-14-21

Today CISA’s NCCIC-ICS published nine control system security advisories for products from Siemens (6), Mitsubishi, Uffizio, and Schneider Electic. The Siemens advisories upon which the NCCIC-ICS advisories are based were published on Tuesday. NCCIC-ICS also published 13 updates that I will discuss in a later post.

SIMATIC Advisory - This advisory describes a missing authentication for critical function vulnerability in the Siemens SIMATIC Process Historian.

RUGGEDCOM Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens RUGGEDCOM ROX, switches and serial-to-Ethernet devices.

SCALANCE Advisory - This advisory discusses 15 vulnerabilities in the SCALANCE W1750D software management platform.

Solid Edge Advisory - This advisory describes ten vulnerabilities in the Siemens Solid Edge, 3D CAD and solid modeling software.

SINEC NMS Advisory - This advisory describes 15 vulnerabilities in the Siemens SINEC NMS network management software.

SINUMERIK Advisor - This advisory describes a heap-based buffer overflow vulnerability in the Siemens SINUMERIK Controllers.

Mitsubishi Advisory - This advisory describes an authorization bypass through user-controlled key in the Mitsubishi MELSEC iQ-R Series CPU Module.

Uffizio Advisory - This advisory describes five vulnerabilities in the Uffizio GPS Tracker software.

Schneider Advisory - This advisory describes an improper privilege management vulnerability in the Schneider ConneXium Network Manager (CNM) Software.

NOTE: Schneider published four other new advisories this week. I will address those this weekend.

For more details about these advisories, including links to third-party advisories and vulnerability reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/9-advisories-published-10-14-21 - subscription required.