Review – 11 Advisories and 1 Update Published – 8-30-22

Today, CISA’s NCCIC-ICS published eleven control system security advisories for products from Johnson Control, PTC Kepware, Omron, Honeywell (3), Fuji Electric, and Hitachi Energy (4). They also updated an advisory for products from Mitsubishi Electric.

Johnson Control Advisory - This advisory describes a command injection vulnerability in the Johnson Control (Tyco subsidiary) iSTAR Ultra door controller.

PTC Advisory - This advisory describes two vulnerabilities on the Kepware KEPServerEX connectivity platform.

NOTE: NCCIC-ICS reports that these vulnerabilities also affect the following products as thirdparty vulnerabilities:

• Rockwell Automation KEPServer Enterprise,

• GE Digital Industrial Gateway Server, and

• Software Toolbox TOP Server

Honeywell Advisory #1 - This advisory discusses an OT:ICEFALL vulnerability in the Honeywell Trend Controls IQ Series IC.

Honeywell Advisory #2 - This advisory discusses an OT:ICEFALL vulnerability in the Honeywell Experion LX distributed control system.

Honeywell Advisory #3 - This advisory discusses an OT:ICEFALL vulnerability in the Honeywell ControlEdge PLC.

Fuji Advisory - This advisory describes two vulnerabilities in the Fuji D300win programming support tool.

Hitachi Energy Advisory #1 - This advisory describes an improper input validation vulnerability in the Hitachi Energy RTU500.

Hitachi Energy Advisory #2 - This advisory describes a reliance on uncontrolled component vulnerability in the Hitachi Energy MSM Product.

NOTE: I briefly discussed the 13 underlying vulnerabilities (3 with known exploits) on July 16^th, 2022.

Hitachi Energy Advisory #3 - This advisory describes a reliance on uncontrolled component vulnerability in the Hitachi Energy Gateway Station product.

NOTE: I briefly discussed the 7 underlying vulnerabilities (6 with known exploits) on May 8^th, 2022.

Hitachi Energy Advisory #4 - This advisory describes a reliance on uncontrolled component vulnerability in the Hitachi Energy FACTS Control Platform product.

NOTE: I briefly discussed the 7 underlying vulnerabilities (6 with known exploits) on May 8^th, 2022.

Mitsubishi Update - This update provides additional information for an advisory that was originally published on August 9th, 2022 and most recently updated on August 18^th, 2022.

 

For more details on these advisories and the update, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/11-advisories-and-1-update-published - subscription required.