Review - Public ICS Disclosures – Week of 1-7-23 – Part 2

For Part 2 this week we have eight additional vendor disclosures from Schneider (6) and Siemens (2). We also have 19 additional vendor updates from Schneider (3) and Siemens (16). Just a reminder, NCCIC-ICS announced this week that they were no longer going to be updating Siemens advisories, apparently the workload just got to be too much.

Vendor Disclosures

Schneider Advisory #1 - Schneider published an advisory that describes an out-of-bounds write vulnerability in their EcoStruxureTM Machine Expert.

Schneider Advisory #2 - Schneider published an advisory that describes two vulnerabilities in the EcoStruxure TM Geo SCADA Expert.

Schneider Advisory #3 - Schneider published an advisory that discusses an access of unitialized pointer vulnerability in their EcoStruxure™ products.

Schneider Advisory #4 - Schneider published an advisory that describes an exposure of resource to wrong sphere vulnerability in the EcoStruxure™ Power SCADA Anywhere product.

Schneider Advisory #5 - Schneider published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their s EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, and Modicon PLCs.

Schneider Advisory #6 - Schneider published an advisory that describes an authentication bypass vulnerability in their EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, and Modicon M340, M580 and M580 CPU Safety products.

Siemens Advisory #1 - Siemens published an advisory that describes three vulnerabilities in their JT Open, JT Utilities and Solid Edge products.

NOTE: The first two vulnerabilities were reported in other Siemens products in December of 2021.

Siemens Advisory #2 - Siemens published an advisory that discuses twelve vulnerabilities in their SINEC Infrastructure Network Services (INS).

Vendor Updates

Schneider Update #1 - Schneider published an update of their CODESYS Runtime advisory that was originally published on January 11^th, 2022 and most recently updated on July 12^th, 2022.

Schneider Update #2 - Schneider published an update of their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on December 13^th, 2022.

Schneider Update #3 - Schneider published an update of their Modicon Controllers advisory that was originally published on September 26^th, 2019 and most recently updated on September 13^th, 2022.

Siemens Update #1 - Siemens published an update of their OpenSSL advisory that was originally published on June 16^th, 2022 and most recently updated on December 13^th, 2022.

Siemens Update #2 - Siemens published an update of their SCALANCE advisory that was originally published on August 9^th, 2022 and most recently updated on September 13^th, 2022.

Siemens Update #3 - Siemens published an update of their TCP Even Service advisory that was originally published on October 11^th, 2022.

Siemens Update #4 - Siemens published an update of their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on December 13^th, 2022.

Siemens Update #5 - Siemens published an update of their Industrial Products advisory that was originally published on March 20^th, 2018 and most recently updated on August 9^th, 2022.

Siemens Update #6 - Siemens published an update of their SCALANCE advisory that was originally published on February 11^th, 2020 and most recently updated on December 13^th, 2022.

Siemens Update #7 - Siemens published an update of their SIMATIC WinCC advisory that was originally published on December 13^th, 2022.

Siemens Update #8 - Siemens published an update of their Industrial Products advisory that was originally published on April 9th, 2019 and most recently updated on August 9^th, 2022.

Siemens Update #9 - Siemens published an update of their Industrial Controllers advisory that was originally published on November 8^th, 2022 and most recently updated on December 13^th, 2022.

Siemens Update #10 - Siemens published an update of their PROFINET devices advisory that was originally published on October 10^th, 2019 and most recently updated on December 13^th, 2022.

Siemens Update #11 - Siemens published an update of their PROFINET stack advisory that was originally published on April 14^th, 2022 and most recently updated on December 13^th, 2022.

Siemens Update #12 - Siemens published an update of their SIMATIC S7 advisory that was originally published on February 11^th, 2020 and most recently updated on August 9^th, 2022.

Siemens Update #13 - Siemens published an update of their Industrial Products advisory that was originally published on December 13^th, 2022.

Siemens Update #14 - Siemens published an update of their Industrial Real Time Devices advisory that was originally published on October 10^th, 2019 and most recently updated on February 8^th, 2022.

Siemens Update #15 - Siemens published an update of their Mendix workflow advisory that was originally published on December 13^th, 2022.

Siemens Update #16 - Siemens published an update of their SIMATIC S7-400 advisory that was originally published on November 13^th, 2018, and most recently updated on August 9^th, 2022.

 

For more details on these disclosures, including links to third-party advisories, exploits and a brief summary of update changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-39e - subscription required.