Review - 5 Advisories and 2 Updates Published – 11-30-21

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Hitachi Energy, Johnson Controls, Delta Electronics, Mitsubishi Electric, and Xylem. They also updated two advisories for products from multiple RTOS and InHand Networks.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Retail Operations and Counterparty Settlement and Billing (CSB) Product.

NOTE: I briefly discussed the two supporting Hitachi Energy advisories along with five others on November 6^th, 2021.

Johnson Controls Advisory - This advisory discusses an off-by-one error vulnerability in the Johnson Controls Controlled Electronic Management Systems Ltd. CEM Systems AC2000.

Delta Electronics Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta Electronics CNCSoft software management software.

Mitsubishi Advisory - This advisory describes three vulnerabilities in the Mitsubishi MELSEC CPU module and MELIPC Series software management platform.

Xylem Advisory - This advisory describes an SQL injection vulnerability in the Xylem Aanderaa GeoView web-based data display.

Multiple RTOS Update - This update provides additional information on an advisory that was originally published on April 29^th, 2021 and most recently updated on August 17^th, 2021.

NOTE 1: I briefly discussed the reported Hitachi Energy RTU500 advisory on November 20^th.

NOTE 2: I briefly discussed the reported Hitachi Energy MSM advisory on August 21^st, 2021.

InHand Networks Update - This update provides additional information on an advisory that was originally published on October 7^th, 2021.

NOTE: InHand went from a notation of “InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities” to having a vendor security advisories page with vulnerability reporting contact information and PGP public key listing. I hope they keep it up; it has been added to my weekly checklist.

For more details on these advisories and updates, including links to 3^rd party vendors and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published - subscription required.