Review – Public ICS Disclosures – Week of 5-6-23 – Part 2

For Part 2 this week we have four additional vendor disclosures from Schneider. We also have 18 updates for products from Schneider (2) and Siemens (16). There are three researcher reports for products from Advantech and Weston (2).

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes an improper XML external entity reference vulnerability in their OPC Factory Server.

Schneider Advisory #2 - Schneider published an advisory that discusses an improper authorization vulnerability in their EcoStruxure Power Operation, EcoStruxure Power SCADA Operation products.

Schneider Advisory #3 - Schneider published an advisory that discusses an improper authorization vulnerability in their EcoStruxure Power Operation, EcoStruxure Power SCADA Operation products.

Schneider Advisory #4 - Schneider published an advisory that discusses an improper authorization vulnerability in their EcoStruxure Power SCADA Anywhere products.

Updates

Schneider Update #1 - Schneider published an update for their INFRA:HALT advisory that was originally published on February 8^th, 2022, and most recently updated on February 14^th, 2023.

Schneider Update #2 - Schneider published an update for their BadAlloc advisory that was originally published on April 12^th, 2022, and most recently updated on April 11^th, 2023.

Siemens Update #1 - Siemens published an update for their SIPROTEC 5 devices advisory that was originally published on April 11^th, 2023.

Siemens Update #2 - Siemens published an update for their Siemens Industrial Products using Intel CPUs advisory that was originally published on August 10^th, 2021 and most recently updated on December 13^th, 2022.

Siemens Update #3 - Siemens published an update for their TIA Portal advisory that was originally published on April 11^th, 2023.

Siemens Update #4 - Siemens published an update for their SIMATIC S7-400 CPUs advisory that was originally published on November 13^th, 2018 and most recently updated on January 10^th, 2023.

Siemens Update #5 - Siemens published an update for their OpenSSL Affecting Industrial Products advisory that was originally published on June 14^th, 2022, and most recently updated on April 11^th, 2023.

Siemens Update #6 - Siemens published an update for their Siemens Industrial Products using Intel CPUs advisory that was originally published on February 14^th, 2023.

Siemens Update #7 - Siemens published an update for their TIA Project-Server advisory that was originally published on February 14^th, 2023.

Siemens Update #8 - Siemens published an update for their Polarion ALM advisory that was originally published on April 11^th, 2014.

Siemens Update #9 - Siemens published an update for their Industrial Products advisory that was originally published on March 20^th, 2018 and most recently updated on April 11^th, 2023.

Siemens Update #10 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 11^th, 2023.

Siemens Update #11 - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on December 13^th, 2022.

Siemens Update #12 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 9^th, 2019.

Siemens Update #13 - Siemens published an update for their e Web Server Login Page of Industrial Controllers advisory that was originally published on November 8^th, 2022 and most recently updated on April 11^th, 2023.

Siemens Update #14 - Siemens published an update for their Profinet Devices advisory that was originally published on October 8^th, 2018, and most recently update on January 10^th, 2023.

Siemens Update #15 - Siemens published an update for their Industrial Products advisory that was originally published on December 13^th, 2022, and most recently updated on April 11^th, 2023.

Siemens Update #16 - Siemens published an update for their n Industrial Real-Time (IRT) Devices advisory that was originally published on October 8^th, 2019, and most recently updated on April 11^th, 2023.

Researcher Reports

Advantech Report - Cyber Danube published a report about three vulnerabilities in the Advantech EKI-1524-CE series, EKI-1522 series, EKI-1521 series serial device servers.

Weston Reports - Cisco Talos published two reports about three vulnerabilities in the Weston Embedded uC-FTPs.

 

For more details on these disclosures, including a brief summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-e8f - subscription required.