Today, CISA’s NCCIC-ICS published seventeen control system security advisories for products from Siemens (14), Red Lion, Johnson Controls, and Delta Electronics. They also published 22 updates for products from Siemens, but those will be covered in a subsequent post.
Mendix Advisory #1 - This advisory
describes an improper access control vulnerability in the Siemens Mendix software
platform.
Mendix Advisory #2 - This advisory
describes exposure of sensitive information to an unauthorized actor
vulnerability in the Siemens Mendix software platform.
TIA Administrator Advisory - This advisory
describes an uncontrolled resource consumption vulnerability in the Siemens TIA
Administrator.
Simcenter Advisory - This advisory
describes three vulnerabilities in the Siemens Simcenter Femap simulation
application.
SIMATIC Advisory #1 - This advisory
describes an improper access control vulnerability in the Siemens SIMATIC STEP
7 (TIA Portal).
SIMATIC Advisory #2 - This advisory
describes a lengthy list of vulnerabilities (listed in this advisory as a
single ‘use of unmaintained third-party components) in the Siemens GNU/Linux
subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP.
NOTE: The Siemens version
of this advisory was originally
published in 2018 and most
recently updated on March 8th, 2022. The list of GNU/Linux CVE’s
is extensive to say the least.
SIMATIC Advisory #3 - This advisory
describes an improper restriction of operations within the bounds of a memory
buffer vulnerability in the Siemens SIMATIC S7-400.
SIMATIC Advisory #4 - This advisory
describes three vulnerabilities in the Siemens SIMATIC Energy Manager.
SICAM Advisory - This advisory
describes a missing authentication (with available proof-of-concept code) for
critical function vulnerability in the Siemens SICAM A8000 products.
SCALANCE Advisory #1 - This advisory
describes nine vulnerabilities in the Siemens SCALANCE X-300 switch family
devices.
SCALANCE Advisory #2 - This advisory
describes three vulnerabilities in the Siemens SCALANCE W1700 wireless communications
device.
SCALANCE Advisory #3 - This advisory discusses
the FragAttacks WiFi
vulnerabilities in the Siemens SCALANCE family devices.
NOTE: The Siemens version
of this advisory was originally
published on July 13th, 2021 and most
recently updated on February 8th, 2022.
PROFINET Advisory - This advisory
describes an uncontrolled resource consumption vulnerability in the Siemens PROFINET
Stack Integrated on Interniche Stack.
OpenSSL Advisory - This advisory discusses
a NULL pointer dereference vulnerability in the Siemens Industrial Products.
Red Lion Advisory - This advisory
describes four vulnerabilities in the unsupported Red Lion DA50N networking
gateway.
Johnson Controls Advisory - This advisory
describes an incomplete cleanup vulnerability in the Johnsons Controls Metasys
ADS/ADX/OAS Servers.
Delta Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Delta DMARS, a Motion Controller program development tool.
Commentary
This month NCCIC-ICS published advisories for a couple of long-running advisories from Siemens. I am not sure where (CISA or Siemens) the housekeeping took place to see this happen, but this a small, but significant advance in information sharing that deserves mention.
For more details about these advisories, including links to
third-party advisories and researcher reports, see my article at CFSN Detailed
Analysis - https://patrickcoyle.substack.com/p/17-advisories-published-4-14-22
- subscription required.
Posts
No comments:
Post a Comment