Yesterday, CISA’s NCCIC-ICS published 14 control system security advisories for products from Siemens (12), Advantech, and SUBNET Solutions.
NOTE: Siemens also updated eight advisories this week, but a policy change at CISA in January means that those Siemens updates are no longer being reported by NCCIC-ICS. I will be covering them this weekend.
Advisories
Teamcenter Advisory -
This advisory
describes four vulnerabilities in the Siemens JT2Go and Teamcenter
Visualization products.
SICAM Advisory #1 -
This advisory
describes three vulnerabilities in the Siemens SICAM A8000 Devices. The
vulnerabilities were reported by the SEC Consult Lab.
SICAM Advisory #2 -
This advisory
describes six vulnerabilities in the Siemens POWER METER SICAM Q200 family.
SINAMICS Advisory -
This advisory
discusses 23 vulnerabilities in the Siemens SINAMICS MV (medium voltage)
products.
SIMATIC Advisory #1 -
This advisory
discusses 108 vulnerabilities in the Siemens SIMATIC S7-1500 TM MFP.
SIMATIC Advisory #2 -
This advisory
discusses 53 vulnerabilities in the BIOS of the Siemens SIMATIC S7-1500 TM MFP.
SIMATIC Advisory #3 -
This advisory
describes a code injection vulnerability in the Siemens SIMATIC PCS 7, SIMATIC
S7-PM, and SIMATIC STEP 7 V5 products.
SIMATIC Advisory #4 -
This advisory
describes an incorrect permission assignment for critical resource vulnerability
in the Siemens SIMATIC WinCC.
SIMATIC Advisory #5 -
This advisory
describes a use of obsolete function (legacy OPC services) vulnerability in the
Siemens SIMATIC products.
Solid Edge Advisory -
This advisory
describes an out-of-bounds read vulnerability in the Siemens Solid Edge SE2023
product.
TIA Portal Advisory -
This advisory
describes a protection mechanism failure vulnerability in the Siemens TIA Portal.
SIMOTION Advisory -
This advisory
describes an exposure of sensitive information due to incompatible policies
vulnerable in the Siemens SIMOTION products.
Advantech Advisory -
This advisory
describes an untrusted pointer dereference vulnerability in the Advantech WebAccess/SCADA
product.
SUBNET Advisory - This advisory describes two vulnerabilities in the SUBNET PowerSYSTEM Center.
Commentary
While Siemens reported an apparently egregious number of vulnerabilities
(108 and 53 in separate advisories) in their SINAMICS medium voltage products,
these are all Linux vulnerabilities and Siemens has been cumulatively reporting
similar slow-to-be-fixed Linux
vulnerabilities in their SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP since
2018. This is one of the problems with using a general-purpose OS for control
system products. If Siemens was reporting Windows vulnerabilities, I am sure
that we would be seeing a large number of such advisories being published every
month. Most vendors do not report Windows related vulnerabilities because,
where their products use that OS, they rely on Microsoft’s automated update
service to relatively painlessly fix those problems. Interestingly, that means
those products are exposed to the Internet for that service to work.
Posts
No comments:
Post a Comment