Thursday, June 23, 2022

Review – 6 Advisories Published – 6-23-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Elcomplus, Pyramid Solutions, Secheron, and Yokogawa (2). They also published a medical device control system security advisory for products from OFFIS.

NCCIC-ICS has now reported advisories for four of the ten vendors covered in the OT:ICEFALL report.

Elcomplus Advisory - This advisory describes three vulnerabilities in the Elcomplus SmartICS web-based HMI.

Pyramid Solutions Advisory - This advisory describes an out-of-bounds write vulnerability in the Pyramid Solutions EtherNet/IP Adapter Development Kit.

NOTE: Weidmueller is almost certainly not the only vendor that uses the affected development or DLL kits. This is sure to show up (eventually) as a third-party vulnerability in a number of products.

Secheron Advisory - This advisory describes seven vulnerabilities in the Secheron SEPCOS Control and Protection Relay.

NOTE: There is a vendor level of control over PLC’s? From the description in the advisory, it sounds like admin level access. Could someone try to explain the difference?

Yokogawa Advisory #1 - This advisory describes a violation of secure design principles vulnerability in the Yokogawa Consolidation Alarm Management Software for Human Interface Station (CAMS for HIS) software.

NOTE: I briefly reported on this vulnerability on May 28th, 2022.

Yokogawa Advisory #2 - This advisory discusses OT:ICEFALL vulnerabilities in the Yokogawa STARDOM network control system.

NOTE: NCCIC-ICS still is not providing links to the OT:ICEFALL report or naming Forescout as the authoring agency.

OFFIS Advisory - This advisory describes three vulnerabilities in the OFFIS DCMTK libraries and software that process DICOM image files.


For more information on these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */