Review – Public ICS Disclosures – Week of 4-8-23 – Part 3

For Part 3, we have 35 vendor updates from Schneider (4) and Siemens (31). We also have a researcher report for products from Triangle Microworks. Finally, we have five exploits for products from Paradox Security, Palo Alto Networks, FortiGuard, Schneider Electric, and Franklin Fueling Systems.

Updates

Schneider Update #1 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on January 10^th, 2023 and most recently updated on March 14^th, 2023.

Schneider Update #2 - Schneider published an update for their SCADAPack Workbench advisory that was originally published on March 28^th, 2023.

Schneider Update #3 - Schneider published an update for their CODESYS V3 Runtime that was originally published on January 11^th, 2022 and most recently updated on March 14^th, 2023.

Schneider Update #4 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on March 14^th, 2023.

Siemens Update #1 - Siemens published an update for their SNMP in Multiple Industrial Products advisory that was originally published on February 11^th, 2020 and most recently updated on June 14^th, 2022.

Siemens Update #2 - Siemens published an update for their RUGGEDCOM ROS advisory that was originally published on July 12^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #3 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on November 9^th, 2021 and most recently updated on July 12^th, 2022.

Siemens Update #4 - Siemens published an update for their Industrial Products advisory that was originally published on February 28^th, 2022 and most recently updated on July 12^th, 2022.

Siemens Update #5 - Siemens published an update for their Polarion ALM advisory that was originally published on December 13^th, 2022.

Siemens Update #6 - Siemens published an update for their RUGGEDCOM ROS-based V4 advisory that was originally published on November 8^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #7 - Siemens published an update for their PROFINET-IO (PNIO) stack advisory that was originally published on November 11^th, 2020 and most recently updated on June 14^th, 2022.

Siemens Update #8 - Siemens published an update for their OpenSSL component advisory that was originally published on June 14^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #9 - Siemens published an update for their SCALANCE advisory that was originally published on August 9^th, 2022 and most recently updated on January 10^th, 2023.

Siemens Update #10 - Siemens published an update for their Teamcenter Visualization and JT2Go advisory that was originally published on December 13^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #11 - Siemens published an update for their SCALANCE X-200 and X-300/X408 advisory that was originally published on September 14^th, 2021 and most recently updated on March 12^th, 2022.

Siemens Update #12 - Siemens published an update for their SIMATIC CP 343-1 Advanced/CP-443-1 advisory that was originally published on November 21^st, 2016 and most recently updated on December 10^th, 2019.

Siemens Update #13 - Siemens published an update for their Industrial Products advisory that was originally published on March 20^th, 2018 and most recently updated on January 10^th, 2023.

Siemens Update #14 - Siemens published an update for their SIMATIC S7-400 CPU advisory that was originally published on March 12^th, 2022 an most recently updated on August 9^th, 2022.

Siemens Update #15 - Siemens published an update for their Web Interface of SCALANCE and RUGGEDCOM Products advisory that was originally published on October 11^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #16 - Siemens published an update for their SIMATIC NET CP advisory that was originally published on September 14^th, 2021 and most recently updated on June 14^th, 2022.

Siemens Update #17 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 9^th, 2019 and most recently updated on January 10^th, 2023.

Siemens Update #18 - Siemens published an update for their Web Server Login Page of Industrial Controllers advisory that was originally published on November 8^th, 2022 and most recently updated on January 10^th, 2023.

Siemens Update #19 - Siemens published an update for their  TCP SACK PANIC advisory that was originally published on September 10^th, 2019 and most recently update on June 14^th, 2022.

Siemens Update #20 - Siemens published an update for their RUGGEDCOM ROS advisory that was originally published on September 13^th, 2022 and most recently updated on November 8^th, 2022.

Siemens Update #21 - Siemens published an update for their PROFINET Stack advisory that was originally published on March 12^th, 2022 and most recently updated on February 14^th, 2023.

Siemens Update #22 - Siemens published an update for their SCALANCE advisory that was originally published on December 13^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #23 - Siemens published an update for their OpenSSL 3.0 advisory that was originally published on December 13^th, 2022.

Siemens Update #24 - Siemens published an update for their Industrial Products advisory that was originally published on December 13^th, 2022 and most recently updated on January 10^th, 2023.

Siemens Update #25 - Siemens published an update for their Industrial Real-Time Devices advisory that was originally published on October 8^th, 2019 and most recently updated on January 10^th, 2023.

Siemens Update #26 - Siemens published an update for their OPC Foundation advisory that was originally published on May 10^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #27 - Siemens published an update for their SCALANCE X advisory that was originally published on July 12^th, 2022.

Siemens Update #28 - Siemens published an update for their SIMATIC PCS 7 advisory that was originally published on February 11^th, 2020 and most recently updated on April 12^th, 2022.

Siemens Update #29 - Siemens published an update for their RUGGEDCOM ROS advisory that was originally published on March 8^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #30 - Siemens published an update for their OpenSSL advisory that was originally published on February 8^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #31 - Siemens published an update for their VX-Works advisory that was originally published on March 14^th, 2020 and most recently updated on June 14^th, 2022.

Researcher Reports

Triangle Microworks Report - The Zero Day Initiative published a report that describes a remote code execution vulnerability in the Triangle Microworks SCADA Data Gateway.

Exploits

Paradox Security Exploit - Giorgi Dograshvili published an exploit for a code injection vulnerability in the Paradox IPR512 IP monitoring receiver.

Palo Alto Networks Exploit - OMURUGUR published an exploit for a stored cross-site scripting vulnerability in the Palo Alto Networks Cortex XSOAR product.

FortiGuard Exploit - Mohammed Adel published an exploit for an uncontrolled resource consumption vulnerability in the FortiGuard FortiRecorder.

Schneider Exploit - Parsa Rezaie Khiabanloo published an exploit for a directory traversal vulnerability in an inadequately identified (SCADA-vis?) Schneider product.

Franklin Fueling Exploit - Parsa Rezaie Khiabanloo published an exploit for an information disclosure vulnerability in the Franklin Fuel Systems TS-550.

 

For more details about these disclosures, including a brief summary of the changes made in the updates, please see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-015 - subscription required.