Review – 18 Advisories and 1 Updates Published

Today, CISA’s NCCIC-ICS published 16 control system security advisories for products from Schneider, Advantech, Hikvision, Mitsubishi, Weintek, and Siemens (11) and two medical device security advisories for products from Santesoft. They also updated an advisory for products from PTC.

Siemens published one additional advisory (and 11 updates) on Tuesday that were not covered here. CISA no longer updates their Siemens advisories. I will discuss all them this weekend in my Public ICS Disclosure blog post.

Advisories

Schneider Advisory - This advisory describes a missing authentication for critical function vulnerability in the Schneider Interactive Graphical SCADA System (IGSS).

Advantech Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Advantech WebAccess product.

Hikvision Advisory - This advisory describes two vulnerabilities in the Hikvision Access Control and Intercom Products.

Mitsubishi Advisory - This advisory describes an improper authentication vulnerability in the Mitsubishi MELSEC-F Series main modules.

Weintek Advisory - This advisory describes three vulnerabilities in the Weintek cMT3000 CMI Web CGI.

Mendix Advisory - This advisory describes an observable discrepancy vulnerability in the Siemens Mendix Forgot Password Module.

Tecnomatix Advisory - This advisory describes seven vulnerabilities in the Siemens Tecnomatix Plant Simulation product.

SICAM Advisory #1 - This advisory describes a use of hard-coded credentials vulnerability in the Siemens CP-8050 and CP-8031 master modules.

SICAM Advisory #2 - This advisory describes an incorrect permission assignment for a critical resource vulnerability in the Siemens SICAM PAS/PQS.

SICAM Advisory #3 - This advisory describes a path traversal advisory vulnerability in the Siemens SICAM A8000 CP-8031 and CP-8050 master modules.

SINEC Advisory - This advisory describes two vulnerabilities in the Siemens SINEC NMS.

RUGGEDCOM Advisory - This advisory discusses seven vulnerabilities in the Siemens RUGGEDCOM APE1808.

Simcenter Advisory - This advisory describes a code injection vulnerability in the Siemens Simcenter Amesim product.

Xpedition Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Siemens Xpedition Layout Browser.

SCALANCE Advisory - This advisory discusses thirteen vulnerabilities in the Siemens SCALANCE W1750D.

SIMATIC Advisory - This advisory describes two vulnerabilities in the Siemens SIMATIC CP products.

Santesoft Advisory #1 - This advisory describes an out-of-bounds read vulnerability in the Santesoft Sante FFT Imaging.

Santesoft Advisory #2 - This advisory describes two vulnerabilities in the Santesoft Sante DICOM Viewer Pro.

Updates

PTC Update - This update provides additional information on an advisory that was originally published on August 31^st, 2023.

 

For more information on these advisories, including lists of missing vulnerabilities, links to 3^rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/18-advisories-and-1-updates-published - subscription required.