Review – 14 Advisories and 1 Update Published – 3-14-24

Today, CISA’s NCCIC-ICS published fourteen control system security advisories for products from Mitsubishi Electric, Softing, Delta Electronics, and Siemens (11). They also updated an advisory for products from Mitsubishi.

Advisories

Mitsubishi Advisory - This advisory describes five vulnerabilities in the Mitsubishi MELSEC-Q/L Series products.

Softing Advisory - This advisory describes two vulnerabilities in the Softing edgeConnector and edgeAggregator products.

Delta Advisory - This advisory describes ten vulnerabilities in the Delta DIAEnergie product.

RUGGEDCOM Advisory #1 - This advisory discusses 38 vulnerabilities (two on the CISA KEV catalog) in the Siemens RUGGEDCOM APE1808 devices.

RUGGEDCOM Advisory #2 - This advisory discusses seven vulnerabilities (two on KEV catalog) in the Siemens RUGGEDCOM APE1808.

Siveillance Advisory - This advisory describes an incorrect authorization vulnerability in the Siemens Siveillance Control physical security information management system.

Sinteso Advisory - This advisory describes three vulnerabilities in the Siemens Sinteso EN and Cerberus PRO EN fire protection systems.

SCALANCE Advisory - This advisory describes two vulnerabilities in the Siemens SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG families.

SIMATIC Advisory - This advisory discusses 157 vulnerabilities in the Siemens SIMATIC mobile RFID reader. These are third-party vulnerabilities.

SENTRON Advisory - This advisory describes a hidden functionality vulnerability in the Siemens SENTRON 3KC ATC6 Expansion Module Ethernet.

SINEMA Advisory #1 - This advisory describes an insertion of sensitive information into an externally-accessible file or directory vulnerability in the Siemens SINEMA Remote Connect Client.

SINEMA Advisory #2 - This advisory discusses two vulnerabilities in the Siemens SINEMA Remote Connect Server.

Solid Edge Advisory - This advisory describes an out-of-bounds read vulnerability in the Siemens Solid Edge product.

SENTRON Advisory - This advisory describes an improper access control vulnerability in the Siemens SENTRON 7KM PAC3120 and 7KM PAC3220 products.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on May 23^rd, 2023 and most recently updated on September 12^th, 2023.

 

For more information on these advisories, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-and-1-update-published-668 - subscription required.