Review – 11 Advisories and 1 Update Published – 1-12-23

Today, CISA’s NCCIC-ICS published eleven control system security advisories for products from Siemens (4), Johnson Controls, SAUTER Controls, Panasonic, InHand Networks, RONDS, Sewio, and Hitachi Energy. They also updated a medical device security advisory for products from Philips. Siemens published two other advisories on Tuesday that were not addressed by NCCIC-ICS, I will cover them this weekend.

NOTE: NCCIC-ICS added a notice to each of the four Siemens advisories published today that: “Beginning January 10, 2023, CISA will no longer be updating historical security advisories for Siemens product vulnerabilities. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).” This will result in a significant reduction in the workload for NCCIC-ICS in the week of Cybersecurity Tuesday.

Advisories

Siemens Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Siemens Mendix SAML Module.

Siemens Advisory #2 - This advisory describes a missing immutable root of trust in hardware vulnerability in the Siemens S7-1500 CPU product family.

Siemens Advisory #3 - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens Solid Edge product.

Siemens Advisory #4 - This advisory describes two vulnerabilities in the Siemens Automation License Manager (ALM).

Johnson Controls Advisory - This advisory describes an insufficiently protected credentials vulnerability in the Johnson Controls Metasys ADS/ADX/OAS Servers.

SAUTER Advisory - This advisory describes two vulnerabilities in the SAUTER Controls Nova 200–220 Series (PLC 6).

Panasonic Advisory - This advisory describes a cross-site request forgery vulnerability in versions of the Panasonic Sanyo CCTV Network Camera.

InHand Advisory - This advisory describes five vulnerabilities in the InHand InRouter302 and InRouter615.

RONDS Advisory - This advisory describes two vulnerabilities in the RONDS Equipment Predictive Maintenance (EPM) product.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Lumada Asset Performance Management product.

Updates

Philips Update - This update provides additional information on an advisory that was originally published on November 18^th, 2021.

 

For more details on these advisories, including links to researcher reports, exploits, and a discussion about problems with CVE numbers, see my article to CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/11-advisories-and-1-update-published-798 - subscription required.