Review – 18 Advisories Published – 7-14-22

Today, CISA’s NCCIC-ICS published 18 control system security advisories for products from Open Design Alliance and Siemens (17). They also published twelve updates that I will cover in a separate post. Siemens published one more advisory on Tuesday that was not covered by NCCIC-ICS today. I will cover it this weekend.

Open Design Alliance Advisory - This advisory describes three out-of-bounds read vulnerabilities in the Open Design Alliance Drawings SDK platform.

RUGGEDCOM Advisory #1 - This advisory describes a code injection vulnerability in the Siemens RUGGGEDCOM ROS based devices.

NOTE: The Siemens advisory lists affected products for which no fix is planned.

RUGGEDCOM Advisory #2 - This advisory describes a code injection vulnerability in the Siemens RUGGEDCOM ROX based devices.

Opcenter Advisory - This advisory describes an incorrect implementation of authentication algorithm in the Siemens Opcenter Quality quality management system.

EN100 Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens EN100 Ethernet Module.

NOTE: The Siemens advisory lists four of the five affected products as having no fix planned.

SIMATIC Advisory #1 - This advisory describes two vulnerabilities in the Siemens SIMATIC eaSie digital automation manager.

SIMATIC Advisory #2 - This advisory describes two vulnerabilities in the Siemens SIMATIC MV500 Optical Readers. The vulnerabilities are self-reported.

CPC80 Advisory - This advisory describes a missing release of resource after effective lifetime vulnerability in the Siemens CPC80 Firmware of SICAM A8000.

Mendix Advisory #1 - This advisory describes an improper access control vulnerability in the Siemens Mendix application platform.

Mendix Advisory #2 - This advisory describes an injection vulnerability in the Siemens Mendix Applications.

Mendix Advisory #3 - This advisory describes an XML entity expansion vulnerability in the Mendix Excel Importer Module.

SRCS VPN Advisory - This advisory describes three vulnerabilities in the Siemens SIMATIC CP Devices when using SRCS VPN.

Simcenter Advisory #1 - This advisory describes an out-of-bounds read vulnerability in the Siemens Simcenter Femap and Parasolid products.

Simcenter Advisory #2 - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap complex model simulator.

PADS Advisory - This advisory describes 20 vulnerabilities in the Siemens PADS Standard and Standard Plus PCB schematic design and layout environment.

NOTE: Siemens reports that no fix is planned.

Datalogics Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Siemens Teamcenter Visualization and JT2Go products.

SICAM Advisory - This advisory describes an exposure of resource to wrong sphere vulnerability in the Siemens SICAM GridEdge software.

SCALANCE Advisory - This advisory describes three vulnerabilities in the Siemens SCALANCE X Switch Devices.

 

For more details on these advisories, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/18-advisories-published-7-14-22 - subscription required.