Review – Public ICS Disclosures – Week of 4-9-22 – Part 2

For Part 2 we have 2^nd Tuesday vendor disclosures and updates from Siemens and Schneider that were not addressed earlier by CISA’s NCCIC-ICS. We have two vendor disclosures from Schneider (all of the Siemens original disclosures were covered by CISA this month). We also have fourteen updates from Siemens (10) and Schneider (4). Finally, we have a Schneider security bulletin addressing the INCONTROLLER ICS attack tools.

Schneider Advisory #1 - Schneider published an advisory describing a buffer copy without checking size of input vulnerability in the Data Server module for their IGSS (Interactive Graphical SCADA System) product.

Schneider Advisory #2 - Schneider published an advisory describing an improper privilege management vulnerability in their Modicon M340 Controller and Communication Modules.

Siemens Update #1 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on March 8^th, 2022.

Siemens Update #2 - Siemens published an update for their SIMATIC advisory that was originally published on March 29^th, 2018 and most recently updated on March 12^th, 2019.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-18-088-03) for this new information.

Siemens Update #3 - Siemens published an update for their TCP SACK PANIC advisory that was originally published on September 10^th, 2019 and most recently updated on March 8^th, 2022.

NOTE: NCCIC-ICS did update their advisory (ICSA-19-253-03) for this new information, but did not list it on their ICS Archive page to let the public know about the update.

Siemens Update #4 - Siemens published an update for their SIMATIC advisory that was originally published on March 8^th, 2022.

Siemens Update #5 - Siemens published an update for their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on March 28^th, 2022.

Siemens Update #6 - Siemens published an update for their Log4Shell Advisory that was originally published on December 13^th, 2021 and most recently updated on March 8^th, 2022.

Siemens Update #7 - Siemens published an update for their OpenSSH advisory that was originally published on September 14^th, 2021.

Siemens Update #8 - Siemens published an update for their OpenSSL advisory that was originally published on December 10th, 2019 and most recently updated on February 17^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-06) for these changes.

Siemens Update #9 - Siemens published an update for their PROFINET advisory that was originally published on February 11^th, 2020 and most recently updated on February 8^th, 2022.

Siemens Update #10 - Siemens published an update for their FragAttacks advisory that was originally published on July 13^th, 2021 and most recently updated on February 8^th, 2022.

Schneider Update #1 - Schneider published an update for their EcoStruxure advisory that was originally published on July 13^th, 2021 and most recently updated on March 8^th, 2022.

Schneider Update #2 - Schneider published an update for their CODESYS advisory that was originally published on January 11^th, 2022 and most recently updated on February 8^th, 2022.

Schneider Update #3 - Schneider published an update for their ATT Labs Compressor advisory that was originally published on August 10^th, 2021 and most recently updated on March 9^th, 2022.

Schneider Update #4 - Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22^nd, 2018 and most recently updated on May 11^th, 2021.

Schneider Bulletin - On Wednesday, Schneider published a security bulletin discussing the INCONTROLLER ICS attack tools that target Schneider PLCs (among others).

 

For more details about these disclosures and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-25e - subscription required.