Review - Public ICS Disclosures – Week of 2-5-22 – Part 3

Finally. We have 18 updates from Siemens.

NOTE: My copy of the Siemens advisory spreadsheet contained duplicate entries. That is what lead to the inflated count of updates in my earlier post.

NTP-Client Update - Siemens published an update for their SIMATIC NTP-Client advisory that was originally published on June 8^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-159-11) for this information.

OPC UA Update - Siemens published an update for their OPC UA in Industrial Products advisory that was originally published on April 9th, 2019 and most recently updated on March 10^th

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-03) for this information.

Number:Jack Update - Siemens published an update for their NUMBER:JACK advisory that was originally published on September 14^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-13) for this information.

Industrial Products Update #1 - Siemens published an update for their Industrial Products advisory that was originally published on December 5^th, 2017 and most recently updated on October 14^th, 2021

NOTE: NCCIC-ICS did not update their advisory (ICSA-17-339-01) for this information.

Industrial Products Update #2 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on December 8^th, 2020.

NOTE: NCCIC-ICS last updated their advisory (ICSA-19-099-06) for this product back in August 2020.

Industrial Products Update #3 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on December 8^th, 2020.

Industrial Realtime Products Update - Siemens published an update for their Industrial Realtime Products advisory that was  originally published on October 10^th, 2019 and most recently updated on October 14^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-01) for this information.

GNU/Linux Update - Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on November 9^th, 2021.

TCP Sack Panic Update - Siemens published an update for their TCP SACK PANIC advisory that was was originally published on August 13^th, 2019 and most recently updated on September 14^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-253-03) for this information.

PROFINET Update #1 - Siemens published an update for their PROFINET advisory that was originally published on October 10^th, 2019 and most recently updated on October 12^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-02) for this information.

PROFINET Update #2 - Siemens published an update for their PROFINET advisory that was originally published on July 11^th, 2021 and most recently updated on October 12^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-194-03) for this information.

PROFINET Update #3 - Siemens published an update for their PROFINET advisory that was originally published on February 11^th, 2020 and most recently updated on October 12^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-042-04) for this information.

SegmentSmack Update - Siemens published an update for their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on March 9^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-105-08) for this information.

Log4Shell Update #1 - Siemens published an update for their general Log4Shell advisory.

Log4Shell Update #2 - Siemens published an update for their Log4Shell in SPPA-T3000 advisory.

WIBU Codemeter Update - Siemens published an update for their WIBU Codemeter advisory that was originally published on July 13^th, 2021 and most recently updated on November 9^th, 2021.

OpenSSL Update - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on January 11^th, 2022.

Amnesia:33 Update - Siemens published an update for their Amnesia:33 advisory that was originally published on March 9^th, 2021 and most recently updated on October 12^th, 2021.

FragAttacks Update - Siemens published an update for their FragAttacks advisory that was originally published on July 13^th, 2021 and most recently updated on October 12^th, 2021.

Commentary

This month, NCCIC-ICS missed updating 11 of their advisories for changes in the respective Siemens advisories. I understand that CISA currently has a number of issues on its plate including cybersecurity fallout from the potential war in Ukraine, but updating these advisories is important business.

More disturbing than that, though, is the fact that NCCIC-ICS has ignored the effectively end-of-life messages in many of these updates and new advisories from Siemens this month. The fact that Siemens has no intention of developing mitigation measures for, in some cases, multiple vulnerabilities in a product line should weigh heavily in the decision-making process at many industrial organizations. And many organizations rely on CISA’s advisories for that type of information.

 

For more details about these updates, including lists of unsupported products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-f27 - subscription required.