Review – 16 Advisories Published – 4-13-23

Today, CISA’s NCCIC-ICS published 15 control system security advisories for products from Mitsubishi Electric India, Datakit, and Siemens (13). They also published a medical device security advisory for products from Braun.

Advisories

Mitsubishi Advisory - This advisory describes a signal handler race condition vulnerability in the Mitsubishi Electric India Ethernet communication Extension unit GC-ENET-COM.

Datakit Advisory - This advisory describes five vulnerabilities in the Datakit CrossCAD/Ware_x64 library.

SCALANCE Advisory #1 - This advisory discusses the BadAlloc vulnerabilities in the Siemens SCALANCE X-200, X-200IRT, and X-300 Switch Families.

SCALANCE Advisory #2 - This advisory discusses ten vulnerabilities in the Siemens SCALANCE XCM332.

SCALANCE Advisory #3 - This advisory describes an inadequate encryption strength vulnerability in the Siemens SCALANCE X-200IRT Devices.

Polarian Advisory - This advisory describes an improper restriction of XML external entity reference in the Siemens Polarion ALM products.

Teamcenter Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Siemens Teamcenter Visualization and JT2Go products.

Industrial Products Advisory - This advisory describes three vulnerabilities in the Siemens Industrial Products.

Mendix Advisory - This advisory describes an observable response discrepancy vulnerability in the Siemens Mendix Forgot Password Module.

SICAM Advisory - This advisory describes a command injection vulnerability in the Siemens CPCI85 Firmware of SICAM A8000 Devices.

SIPROTEC Advisory - This advisory describes a NULL pointer dereference vulnerability in the Siemens SIPROTEC 5 Devices.

TIA Portal Advisory - This advisory describes an improper input validation vulnerability in the Siemens TIA Portal.

Siemens in OPC Advisory - This advisory describes an improper input validation vulnerability in multiple Siemens products using the OPC Foundation Unified Architecture Local Discovery Server.

JT Open Advisory - This advisory describes an out-of-bounds read vulnerability in the Siemens JT Open and JT Utilities products.

Adaptec Advisory - This advisory describes an exposure of sensitive information to unauthorized actor vulnerability in the Siemens Adaptec maxView Application.

Braun Advisory - This advisory describes an eval injection vulnerability in the Braun Battery Pack SP with Wi-Fi.

 

For more details on these advisories, including links to third-party advisories an exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/16-advisories-published-4-13-23 - subscription required.