Review – 5 Advisories and 2 Updates Published – 11-29-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Mitsubishi (2), Moxa, and Hitachi Energy (2). They also updated advisories for products from Omron and Mitsubishi.

Mitsubishi Advisory #1 - This advisory describes ten vulnerabilities in the Mitsubishi FA Engineering software.

NOTE: I briefly discussed these vulnerabilities on Saturday.

Mitsubishi Advisory #2 - This advisory describes an improper input validation vulnerability in the GOT2000 series. The vulnerability was self-reported. Mitsubishi has new versions that mitigate the vulnerability.

NOTE: I briefly discussed this vulnerability on Saturday.

Moxa Advisory - This advisory describes an improper physical access control vulnerability in the Moxa UC Series, industrial internet-of-things (IIoT) gateway devices.

Hitachi Energy Advisory #1 - This advisory describes an improper input validation vulnerability in the Hitachi Energy MicroSCADA Pro/X SYS600 products.

NOTE: I briefly discussed this vulnerability on November 19^th.

Hitachi Energy Advisory #2 - This advisory discusses a cleartext storage of sensitive information vulnerability in the Hitachi Energy IED Connectivity Packages and PCM600 products.

NOTE: I briefly discussed this vulnerability on November 19^th.

Omron Update - This update provides additional information on an advisory that was originally published on December 12^th, 2019.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 30^th, 2021 and most recently updated on July 26^th, 2022.

NOTE: I briefly discussed this vulnerability on November 19^th.

 

For more information on these advisories and updates, including links to 3^rd party advisories and summaries of changes in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-dfb - subscription required.