Thursday, September 14, 2023

Review – 7 Advisories Published – 9-14-23

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Rockwell Automation and Siemens (6).

Siemens published one additional advisory on Tuesday and two advisories today that were not covered by CISA. Siemens also published 14 updates, but CISA no longer updates their Siemens advisories. I will report on all of them this weekend.


Rockwell Advisory - This advisory describes an improper authentication vulnerability in the Rockwell Pavilion8 model predictive control software.

WIBU Systems Advisory - This advisory discusses an out-of-bounds write vulnerability in Siemens products using the WIBU Systems CodeMeter.

Simatic Advisory #1 - This advisory discusses the Downfall Attacks vulnerability found in Siemens SIMATIC Field PG and SIMATIC IPC products.

Simatic Advisory #2 - This advisory describes an integer overflow or wrap around vulnerability in the Siemens SIMATIC and SIPLUS Products.

RUGGEDCOM Advisory - This advisory discusses 23 vulnerabilities in the Siemens RUGGEDCOM APE1808 Product Family. These are third-party (Insyde) vulnerabilities.

QMS Advisory - This advisory describes ten vulnerabilities in the Siemens Quality Management System (QMS) Automotive software.

Parasolid Advisory - This advisory describes two out-of-bounds write vulnerabilities in the Siemens Parasolids 3D geometric modeling tool.


For more details on these advisories, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */