Review – 7 Advisories and 1 Update Published – 1-30-24

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Rockwell Automation (3), Hitron, Mitsubishi Electric (2) and Emerson. They also updated an advisory for products from Mitsubishi.

Advisories

Rockwell Advisory #1 - This advisory discusses 15 vulnerabilities in multiple Rockwell Operator Panels.

Rockwell Advisory #2 - This advisory describes an improper verification of cryptographic signatures in the Rockwell FactoryTalk Service Platform.

Rockwell Advisory #3 - This advisory describes an improper restriction of operations within the bounds of a memory buffer in the Rockwell ControlLogix and GuardLogix products.

Hitron Advisory - This advisory describes six improper input validation vulnerabilities  in the Hitron HGR and LGUVR series DVRs.

Mitsubishi Advisory #1 - This advisory describes an authentication bypass by capture-replay vulnerability in the Mitsubishi MELSEC WS Series Ethernet Interface Modules.

Mitsubishi Advisory #2 - This advisory describes two vulnerabilities in the Mitsubishi FA Engineering Software Products.

Emerson Advisory - This advisory describes four vulnerabilities in the Emerson Rosemount GC370XA, GC700XA, and GC1500XA gas chromatographs.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on July 27^th, 2023 and most recently updated on December 5^th, 2023.

 

For more information on these advisories, including links to 3^rd party vulnerabilities and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-1-update-published-c5e - subscription required.