Review – 13 Advisories Published – 3-10-22

 

Today, CISA’s NCCIC-ICS published thirteen control system security advisories for products from Siemens. They also published eleven updates that I will address in a separate post. Siemens published three other advisories on Tuesday that I will address this weekend.

Mendix Advisory - This advisory describes an improper access control vulnerability in the Siemens Mendix application development platform.

NOTE: The Siemens’ advisory notes that remediation for Mendix 9 is not currently planned.

RUGGEDCOM Advisory #1 - This advisory describes six vulnerabilities in the Siemens RUGGEDCOM ROS based devices.

NOTE: Siemens has not identified the third-party component from which these vulnerabilities are derived. The CVE’s are Siemens provided numbers so there is no telling if these vulnerabilities have previously been reported.

RUGGEDCOM Advisory #2 - This advisory describes a missing encryption of sensitive information vulnerability in the Siemens RUGGEDCOM devices.

SINUMERIK Advisory - This advisory describes an improper privilege management vulnerability in the Siemens SINUMERIK MC CNC control system for customized machines.

Simcenter Advisory #1 - This advisory describes two vulnerabilities in the Siemens Simcenter Femap simulation applications.

NOTE: I previously reported on these vulnerabilities on February 18^th, 2022.

Simcenter Advisory #2 - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.

SINEC Advisory #1 - This advisory describes 71 vulnerabilities (28 with public exploits) in the Siemens SINEC Infrastructure Network Services (INS).

SINEC Advisory # 2 - This advisory describes three vulnerabilities in the Siemens SINEC NMS network management system.

Polarion Advisory - This advisory describes a cross-site scripting vulnerability in the Siemens Polarion Subversion Webclient.

Climatix Advisory - This advisory describes three vulnerabilities in the Siemens Climatix POL909 (AWM and AWB modules).

COMOS Advisory - This advisory describes 15 vulnerabilities in the Siemens COMOS unified platform for collaborative plan design.

NOTE: Six of these vulnerabilities were reported in the Siemens n JT2Go products in February 2021.

SINEMA Advisory - This advisory describes two vulnerabilities in the Siemens Mendix Forgot Password Appstore module.

SIMOTICS Advisory - This advisory discusses the NUCLEUS:13 vulnerabilities in the Siemens SIMOTICS CONNECT 400.

NOTE: This advisory does not actually mention the NUCLEUS:13 vulnerabilities by name, but the Siemens’ advisory does.

 

For more details about these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/13-advisories-published-3-10-22 - subscription required.