Sunday, February 13, 2022

Review - Public ICS Disclosures – Week of 2-5-22 – Part 3

Finally. We have 18 updates from Siemens.

NOTE: My copy of the Siemens advisory spreadsheet contained duplicate entries. That is what lead to the inflated count of updates in my earlier post.

NTP-Client Update - Siemens published an update for their SIMATIC NTP-Client advisory that was originally published on June 8th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-159-11) for this information.

OPC UA Update - Siemens published an update for their OPC UA in Industrial Products advisory that was originally published on April 9th, 2019 and most recently updated on March 10th

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-03) for this information.

Number:Jack Update - Siemens published an update for their NUMBER:JACK advisory that was originally published on September 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-13) for this information.

Industrial Products Update #1 - Siemens published an update for their Industrial Products advisory that was originally published on December 5th, 2017 and most recently updated on October 14th, 2021

NOTE: NCCIC-ICS did not update their advisory (ICSA-17-339-01) for this information.

Industrial Products Update #2 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on December 8th, 2020.

NOTE: NCCIC-ICS last updated their advisory (ICSA-19-099-06) for this product back in August 2020.

Industrial Products Update #3 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on December 8th, 2020.

Industrial Realtime Products Update - Siemens published an update for their Industrial Realtime Products advisory that was  originally published on October 10th, 2019 and most recently updated on October 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-01) for this information.

GNU/Linux Update - Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on November 9th, 2021.

TCP Sack Panic Update - Siemens published an update for their TCP SACK PANIC advisory that was was originally published on August 13th, 2019 and most recently updated on September 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-253-03) for this information.

PROFINET Update #1 - Siemens published an update for their PROFINET advisory that was originally published on October 10th, 2019 and most recently updated on October 12th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-02) for this information.

PROFINET Update #2 - Siemens published an update for their PROFINET advisory that was originally published on July 11th, 2021 and most recently updated on October 12th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-194-03) for this information.

PROFINET Update #3 - Siemens published an update for their PROFINET advisory that was originally published on February 11th, 2020 and most recently updated on October 12th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-042-04) for this information.

SegmentSmack Update - Siemens published an update for their SegmentSmack advisory that was originally published on April 14th, 2020 and most recently updated on March 9th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-105-08) for this information.

Log4Shell Update #1 - Siemens published an update for their general Log4Shell advisory.

Log4Shell Update #2 - Siemens published an update for their Log4Shell in SPPA-T3000 advisory.

WIBU Codemeter Update - Siemens published an update for their WIBU Codemeter advisory that was originally published on July 13th, 2021 and most recently updated on November 9th, 2021.

OpenSSL Update - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on January 11th, 2022.

Amnesia:33 Update - Siemens published an update for their Amnesia:33 advisory that was originally published on March 9th, 2021 and most recently updated on October 12th, 2021.

FragAttacks Update - Siemens published an update for their FragAttacks advisory that was originally published on July 13th, 2021 and most recently updated on October 12th, 2021.

Commentary

This month, NCCIC-ICS missed updating 11 of their advisories for changes in the respective Siemens advisories. I understand that CISA currently has a number of issues on its plate including cybersecurity fallout from the potential war in Ukraine, but updating these advisories is important business.

More disturbing than that, though, is the fact that NCCIC-ICS has ignored the effectively end-of-life messages in many of these updates and new advisories from Siemens this month. The fact that Siemens has no intention of developing mitigation measures for, in some cases, multiple vulnerabilities in a product line should weigh heavily in the decision-making process at many industrial organizations. And many organizations rely on CISA’s advisories for that type of information.

 

For more details about these updates, including lists of unsupported products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-f27 - subscription required.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */