Review - 8 Advisories Published – 12-2-21

Today, CISA’s NCCIC-ICS published eight control system security advisories for products from Hitachi Energy (5), Distributed Data Systems, Johnson Controls, and Schneider Electric.

RTU500 Advisory #1 - This advisory discusses three vulnerabilities in the Hitachi Energy the RTU500 series. These are third-party vulnerabilities.

NOTE: The Hitachi Energy advisory for these vulnerabilities is actually an update from an advisory that was originally published on November 17^th, 2021. That update provided mitigation measures for RTU500 series CMU.

PCM600 Advisory - This advisory describes an improper certificate validation vulnerability in the Hitachi Energy PCM600 Update Manager.

NOTE: I briefly described this vulnerability on October 31^st, 2021.

APM Edge Advisory - This advisory describes a using components with known vulnerabilities vulnerability in the Hitachi Energy Transformer Asset Performance Management (APM) Edge product. NOTE: The Hitachi advisory upon which this was based is actually an update of an advisory that was originally published on November 2^nd, 2021. The update removed eight CVE’s from the original list (CVE-2017-18258, CVE-2018-14404, CVE-2018-14567, CVE-2020-7595, CVE-2019-1543, CVE-2019-1552, CVE-2021-3450, and CVE-2019-19956).

Relion Advisory - This advisory describes an insecure default initialization of resource vulnerability in the Hitachi Energy Relion 670/650/SAM600-IO series products.

NOTE: I briefly reported this vulnerability on November 6^th, 2021.

RTU500 Advisory #2 - This advisory describes an improper input validation vulnerability in the Hitachi Energy RTU500 series Bidirectional Communication Interface (BCI).

NOTE: I briefly reported this vulnerability on November 20^th, 2021.

Distributed Data Systems Advisory - This advisory describes two vulnerabilities in the Distributed Data Systems WebHMI.

Johnson Controls Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Johnson Controls (Kantech subsidiary) EntraPass security management software.

Schneider Advisory - This advisory describes an insufficient entropy vulnerability in the Schneider Electric Software Update (SESU) application.

NOTE: I briefly reported on this vulnerability on November 14^th, 2021.

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-12-2-21 - subscription required.