Review – Public ICS Disclosures – Week of 3-11-23 – Part 2

For Part 2 we have five additional vendor disclosures from Schneider (3) and Siemens (2). We also have 38 additional updates for disclosures from Schneider (15) and Siemens (23).

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes an insufficient session expiration vulnerability in their EcoStruxure™ Power Monitoring Expert.

Schneider Advisory #2 - Schneider published an advisory that describes an improper validation of an array index vulnerability in their PowerLogic™ HDPM6000.

Schneider Advisory #3 - Schneider published an advisory that describes eight vulnerabilities in their Interactive Graphical SCADA System (IGSS).

Siemens Advisory #1 - Siemens published an advisory that discusses an infinite loop vulnerability in their RADIUS Client of SIPROTEC 5 Devices.

Siemens Advisory #2 - Siemens published an advisory that discusses 17 vulnerabilities in their SCALANCE W-700 IEEE 802.11ax devices.

Updates

NOTE: The link for the update for the Schneider advisory SEVD-2021-222-04 is not currently working.

Schneider Update #1 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on January 10^th, 2023.

Schneider Update #2 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on January 10^th, 2023.

Schneider Update #3 - Schneider published an update for their EcoStruxure™ Geo SCADA Expert advisory that was originally published on January 10^th, 2023.

Schneider Update #4 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 9^th, 2022 and most recently updated on December 13^th, 2022.

Schneider Update #5 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 9^th, 2022 and most recently updated on December 13^th, 2022.

Schneider Update #6 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on August 9^th, 2022 and most recently updated on December 13^th, 2022.

Schneider Update #7 - Schneider published an update for their IGSS advisory that was originally published on June 14^th, 2022 and most recently updated on June 23^rd, 2023.

Schneider Update #8 - Schneider published an update for their CODESYS V3 Runtime advisory that was originally published on January 11^th, 2022 and most recently updated on January 10^th, 2023.

Schneider Update #9 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on February 14^th, 2023.

Schneider Update #10 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on July 13^th, 2021 and most recently updated on December 13^th, 2022.

Schneider Update #11 - Schneider published an update for their ISaGRAF Vulnerabilities advisory that was originally published on June 8^th, 2021 and most recently updated on  November 8^th, 2022.

Schneider Update #12 - Schneider published an update for their Modicon Controllers advisory that was originally published on September 26^th, 2019 and most recently updated on December 13^th, 2022.

Schneider Update #13 - Schneider published an update for their Modicon Controllers advisory that was originally published on September 26^th, 2019 and most recently updated on January 10^th, 2023.

Schneider Update #14 - Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22^nd, 2018 and most recently updated on February 14^th, 2023.

Siemens Update #1 - Siemens published an update for their Multiple LLDP Vulnerabilities advisory.

Siemens Update #2 - Siemens published an update for their Multiple SPP File Parsing Vulnerabilities advisory.

Siemens Update #3 - Siemens published an update for their Code Injection Vulnerability in RUGGEDCOM ROS advisory.

Siemens Update #4 - Siemens published an update for their Denial of Service Vulnerability in RUGGEDCOM ROS V4 advisory.

Siemens Update #5 - Siemens published an update for their OpenSSL Vulnerabilities in Industrial Products advisory.

Siemens Update #6 - Siemens published an update for their Weak Encryption Vulnerability in RUGGEDCOM ROS Devices advisory.

Siemens Update #7 - Siemens published an update for their Denial of Service Vulnerability in OpenSSL advisory.

Siemens Update #8 - Siemens published an update for their Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go advisory.

Siemens Update #9 - Siemens published an update for their Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products advisory.

Siemens Update #10 - Siemens published an update for their Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products advisory.

Siemens Update #11 - Siemens published an update for their Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component advisory.

Siemens Update #12 - Siemens published an update for their Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices advisory.

Siemens Update #13 - Siemens published an update for their Multiple File Parsing Vulnerabilities in Solid Edge advisory.

Siemens Update #14 - Siemens published an update for their Missing Immutable Root of Trust in S7-1500 CPU devices advisory.

Siemens Update #15 - Siemens published an update for their Two Vulnerabilities in Automation License Manager advisory.

Siemens Update #16 - Siemens published an update for their Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP advisory.

Siemens Update #17 - Siemens published an update for their Multiple Vulnerabilities in SCALANCE Products advisory.

Siemens Update #18 - Siemens published an update for their SAD DNS Attack in Linux Based Products advisory.

Siemens Update #19 - Siemens published an update for their Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products advisory.

Siemens Update #20 - Siemens published an update for their Third-Party Component Vulnerabilities in RUGGEDCOM ROS advisory.

Siemens Update #21 - Siemens published an update for their Multiple Vulnerabilities in SINEC NMS and SINEMA Server advisory.

Siemens Update #22 - Siemens published an update for their OpenSSL Vulnerability in Industrial Products advisory.

Siemens Update #23 - Siemens published an update for their SISCO Stack Vulnerability in SIPROTEC 5 Devices advisory.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, as well as a brief description of the changes in the updates, see my article at CFNS Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-b4a - subscription required.