Review – Public ICS Disclosures – Week of 2-11-23 – Part 2

For part two this week we have five additional vendor advisories from Beijer Electronics, Schneider (3) and Siemens. There are also sixteen vendor updates from Schneider (7) and Siemens (9).

Vendor Advisories

Beijer Advisory - Beijer published an advisory that describes two vulnerabilities in their Korenix JetWave products.

NOTE: Added link 1347 hrs on April 6th, 2023

Schneider Advisory #1 - Schneider published an advisory that describes an improper output neutralization for logs vulnerability in their s EcoStruxure Geo SCADA Expert software.

Schneider Advisory #2 - Schneider published an advisory that describes nine vulnerabilities in their StruxureWare Data Center Expert.

Schneider Advisory #3 - Schneider published an advisory that describes an improper authentication vulnerability in their Merten KNX devices.

Siemens Advisory - Siemens published an advisory that describes 19 vulnerabilities.

Vendor Updates

Schneider Update #1 - Schneider published an update for their NetBotz 4 advisory that was originally published on November 8^th, 2022.

Schneider Update #2 - Schneider published an update for their Modicon M340 Controller and Communication Modules advisory that was originally published on April 12^th, 2022 and most recently updated on September 13^th, 2022.

Schneider Update #3 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on January 10^th, 2023.

Schneider Update #4 - Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on September 14^th, 2021 and most recently updated on September 13^th, 2022.

Schneider Update #5 - Schneider published an update for their NicheStack TCP/IP Vulnerabilities advisory that was originally published on August 5^th, 2021 and most recently updated on September 13^th, 2022.

Schneider Update #6 - Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on November 10^th, 2020 and most recently updated on September 13^th, 2022.

Schneider Update #7 - Schneider published an update for their Embedded FTP Servers for Modicon PAC Controllers that was originally published on March 22^nd, 2018 and most recently updated on December 13^th, 2022.

Siemens Update #1 - Siemens published an update for their Denial of Service Vulnerability in OpenSSL advisory that was originally published on June 16^th, 2022 and most recently updated on January 10^th, 2023.

Siemens Update #2 - Siemens published an update for their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on January 10^th, 2023.

Siemens Update #3 - Siemens published an update for their SINUMERIK ONEand SINUMERIK MC advisory that was originally published on November 8^th, 2022.

Siemens Update #4 - Siemens published an update for their SCALANCE W1750D advisory that was originally published on November 8^th, 2022.

Siemens Update #5 - Siemens published an update for their n S7-1500 CPU devices advisory that was originally published on January 10^th, 2023.

Siemens Update #6 - Siemens published an update for their PROFINET Stack Integrated on Interniche Stack advisory that was originally published on April 14^th, 2022 and most recently updated on January 10^th, 2023.

Siemens Update #7 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on December 13^th, 2022.

Siemens Update #8 - Siemens published an update for their FTP Server of Nucleus RTOS advisory that was originally published on October 13^th, 2022 and most recently updated on December 13^th, 2022.

Siemens Update #9 - Siemens published an update for their Insyde BIOS vulnerabilities advisory that was originally published on February 22^nd, 2022 and most recently updated on October 11^th, 2022.

 

For additional information on these disclosures, including links to vendor reports and exploits as well as a brief summary of changes in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-0a7 - subscription required.