Review – 5 Advisories Published – 12-7-23

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Sierra Wireless, ControlByWeb, Johnson Controls, Schweitzer Engineering Laboratories, and Mitsubishi Electric.

Advisories

Sierra Wireless Advisory - This advisory describes seven vulnerabilities in the Sierra Wireless AirLink router with ALEOS firmware.

ControlByWeb Advisory - This advisory describes a cross-site scripting vulnerability in the ControlByWeb Relay.

Johnson Controls Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Johnson Controls Metasys and Facility Explorer products.

SEL Advisory - This advisory describes an improper restriction of rendered UI layers or frames in the SEL-411L product line.

Mitsubishi Advisory - This advisory discusses two vulnerabilities in the Mitsubishi MELIPC , MELSEC iQ-R, and MELSEC Q Series products.

 

For more details about these advisories, including links to 3^rd party advisories and a down-the-rabbit-hole look at additional potential Sierra Wireless vulnerabilities, see my article at CFSN Detailed Analysis - - subscription required.