Sunday, May 14, 2023

Review – Public ICS Disclosures – Week of 5-6-23 – Part 2

For Part 2 this week we have four additional vendor disclosures from Schneider. We also have 18 updates for products from Schneider (2) and Siemens (16). There are three researcher reports for products from Advantech and Weston (2).

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes an improper XML external entity reference vulnerability in their OPC Factory Server.

Schneider Advisory #2 - Schneider published an advisory that discusses an improper authorization vulnerability in their EcoStruxure Power Operation, EcoStruxure Power SCADA Operation products.

Schneider Advisory #3 - Schneider published an advisory that discusses an improper authorization vulnerability in their EcoStruxure Power Operation, EcoStruxure Power SCADA Operation products.

Schneider Advisory #4 - Schneider published an advisory that discusses an improper authorization vulnerability in their EcoStruxure Power SCADA Anywhere products.

Updates

Schneider Update #1 - Schneider published an update for their INFRA:HALT advisory that was originally published on February 8th, 2022, and most recently updated on February 14th, 2023.

Schneider Update #2 - Schneider published an update for their BadAlloc advisory that was originally published on April 12th, 2022, and most recently updated on April 11th, 2023.

Siemens Update #1 - Siemens published an update for their SIPROTEC 5 devices advisory that was originally published on April 11th, 2023.

Siemens Update #2 - Siemens published an update for their Siemens Industrial Products using Intel CPUs advisory that was originally published on August 10th, 2021 and most recently updated on December 13th, 2022.

Siemens Update #3 - Siemens published an update for their TIA Portal advisory that was originally published on April 11th, 2023.

Siemens Update #4 - Siemens published an update for their SIMATIC S7-400 CPUs advisory that was originally published on November 13th, 2018 and most recently updated on January 10th, 2023.

Siemens Update #5 - Siemens published an update for their OpenSSL Affecting Industrial Products advisory that was originally published on June 14th, 2022, and most recently updated on April 11th, 2023.

Siemens Update #6 - Siemens published an update for their Siemens Industrial Products using Intel CPUs advisory that was originally published on February 14th, 2023.

Siemens Update #7 - Siemens published an update for their TIA Project-Server advisory that was originally published on February 14th, 2023.

Siemens Update #8 - Siemens published an update for their Polarion ALM advisory that was originally published on April 11th, 2014.

Siemens Update #9 - Siemens published an update for their Industrial Products advisory that was originally published on March 20th, 2018 and most recently updated on April 11th, 2023.

Siemens Update #10 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 11th, 2023.

Siemens Update #11 - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on December 13th, 2022.

Siemens Update #12 - Siemens published an update for their Webserver of Industrial Products advisory that was originally published on April 9th, 2019.

Siemens Update #13 - Siemens published an update for their e Web Server Login Page of Industrial Controllers advisory that was originally published on November 8th, 2022 and most recently updated on April 11th, 2023.

Siemens Update #14 - Siemens published an update for their Profinet Devices advisory that was originally published on October 8th, 2018, and most recently update on January 10th, 2023.

Siemens Update #15 - Siemens published an update for their Industrial Products advisory that was originally published on December 13th, 2022, and most recently updated on April 11th, 2023.

Siemens Update #16 - Siemens published an update for their n Industrial Real-Time (IRT) Devices advisory that was originally published on October 8th, 2019, and most recently updated on April 11th, 2023.

Researcher Reports

Advantech Report - Cyber Danube published a report about three vulnerabilities in the Advantech EKI-1524-CE series, EKI-1522 series, EKI-1521 series serial device servers.

Weston Reports - Cisco Talos published two reports about three vulnerabilities in the Weston Embedded uC-FTPs.

 

For more details on these disclosures, including a brief summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-e8f - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */