Finally. We have 18 updates from Siemens.
NOTE: My copy of the Siemens advisory spreadsheet contained
duplicate entries. That is what lead to the inflated count of updates in my
earlier post.
NTP-Client Update - Siemens published an update
for their SIMATIC NTP-Client advisory that was originally
published on June 8th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-21-159-11)
for this information.
OPC UA Update - Siemens published an update
for their OPC UA in Industrial Products advisory that was originally published
on April 9th, 2019 and most
recently updated on March 10th
NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-03)
for this information.
Number:Jack Update - Siemens published an update
for their NUMBER:JACK
advisory that was originally
published on September 14th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-13)
for this information.
Industrial Products Update #1 - Siemens published an update
for their Industrial Products advisory that was originally
published on December 5th, 2017 and most
recently updated on October 14th, 2021
NOTE: NCCIC-ICS did not update their advisory (ICSA-17-339-01)
for this information.
Industrial Products Update #2 - Siemens published an update
for their Industrial Products advisory that was originally
published on December 10th, 2019 and most
recently updated on December 8th, 2020.
NOTE: NCCIC-ICS last updated their advisory (ICSA-19-099-06)
for this product back in August 2020.
Industrial Products Update #3 - Siemens published an update
for their Industrial Products advisory that was originally
published on December 10th, 2019 and most
recently updated on December 8th, 2020.
Industrial Realtime Products Update - Siemens
published an update
for their Industrial Realtime Products advisory that was originally
published on October 10th, 2019 and most
recently updated on October 14th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-01)
for this information.
GNU/Linux Update - Siemens published an update
for their GNU/Linux advisory that was originally
published in 2018 and most
recently updated on November 9th, 2021.
TCP Sack Panic Update - Siemens published an update
for their TCP
SACK PANIC advisory that was was originally
published on August 13th, 2019 and most
recently updated on September 14th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-19-253-03)
for this information.
PROFINET Update #1 - Siemens published an update
for their PROFINET advisory that was originally
published on October 10th, 2019 and most
recently updated on October 12th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-02)
for this information.
PROFINET Update #2 - Siemens published an update
for their PROFINET advisory that was originally
published on July 11th, 2021 and most
recently updated on October 12th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-21-194-03)
for this information.
PROFINET Update #3 - Siemens published an update
for their PROFINET advisory that was originally
published on February 11th, 2020 and most
recently updated on October 12th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-20-042-04)
for this information.
SegmentSmack Update - Siemens published an update
for their SegmentSmack advisory
that was originally
published on April 14th, 2020 and most
recently updated on March 9th, 2021.
NOTE: NCCIC-ICS did not update their advisory (ICSA-20-105-08)
for this information.
Log4Shell Update #1 - Siemens published an update
for their general Log4Shell
advisory.
Log4Shell Update #2 - Siemens published an update
for their Log4Shell in SPPA-T3000 advisory.
WIBU Codemeter Update - Siemens published an update
for their WIBU Codemeter advisory that was originally
published on July 13th, 2021 and most
recently updated on November 9th, 2021.
OpenSSL Update - Siemens published an update
for their OpenSSL advisory that was originally
reported on July 13th, 2021 and most
recently updated on January 11th, 2022.
Amnesia:33 Update - Siemens published an update
for their Amnesia:33
advisory that was originally
published on March 9th, 2021 and most
recently updated on October 12th, 2021.
FragAttacks Update - Siemens published an update
for their FragAttacks advisory that
was originally
published on July 13th, 2021 and most
recently updated on October 12th, 2021.
Commentary
This month, NCCIC-ICS missed updating 11 of their advisories
for changes in the respective Siemens advisories. I understand that CISA currently
has a number of issues on its plate including cybersecurity fallout from the
potential war in Ukraine, but updating these advisories is important business.
More disturbing than that, though, is the fact that NCCIC-ICS
has ignored the effectively end-of-life messages in many of these updates and new
advisories from Siemens this month. The fact that Siemens has no intention of
developing mitigation measures for, in some cases, multiple vulnerabilities in
a product line should weigh heavily in the decision-making process at many industrial
organizations. And many organizations rely on CISA’s advisories for that type
of information.
For more details about these updates, including lists of
unsupported products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-f27
- subscription required.