Today, CISA’s NCCIC-ICS published five control system security advisories for products from Elcomplus, Pyramid Solutions, Secheron, and Yokogawa (2). They also published a medical device control system security advisory for products from OFFIS.
NCCIC-ICS has now reported advisories for four of the ten vendors covered in the OT:ICEFALL report.
Elcomplus Advisory - This advisory
describes three vulnerabilities in the Elcomplus SmartICS web-based HMI.
Pyramid Solutions Advisory - This advisory
describes an out-of-bounds write vulnerability in the Pyramid Solutions EtherNet/IP
Adapter Development Kit.
NOTE: Weidmueller is almost certainly not the only vendor
that uses the affected development or DLL kits. This is sure to show up
(eventually) as a third-party vulnerability in a number of products.
Secheron Advisory - This advisory
describes seven vulnerabilities in the Secheron SEPCOS Control and Protection
Relay.
NOTE: There is a vendor level of control over PLC’s? From
the description in the advisory, it sounds like admin level access. Could
someone try to explain the difference?
Yokogawa Advisory #1 - This advisory
describes a violation of secure design principles vulnerability in the Yokogawa
Consolidation Alarm Management Software for Human Interface Station (CAMS for
HIS) software.
NOTE: I briefly
reported on this vulnerability on May 28th, 2022.
Yokogawa Advisory #2 - This advisory discusses
OT:ICEFALL
vulnerabilities in the Yokogawa STARDOM network control system.
NOTE: NCCIC-ICS still is not providing links to the
OT:ICEFALL report or naming Forescout as the authoring agency.
OFFIS Advisory - This advisory
describes three vulnerabilities in the OFFIS DCMTK libraries and software that
process DICOM image files.
For more information on these advisories, including links to
researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-6-23-22
- subscription required.
Posts
No comments:
Post a Comment