Review – 14 Advisories and 3 Updates Published – 5-16-24

Today, CISA’s NCCIC-ICS published 14 control system security advisories for products from Rockwell Automation and Siemens (13). They also updated three advisories for products from GE Healthcare and Mitsubishi (2).

Siemens published two other advisories and 23 updates on Tuesday that were not addressed here. I will cover them this weekend.

Advisories

Rockwell Advisory - This advisory describes an improper input validation vulnerability in the Rockwell FactoryTalk View SE monitoring software.

Industrial Product Advisory - This advisory describes an out-of-bounds read vulnerability in the Siemens Industrial Products.

Desigo Advisory - This advisory describes three vulnerabilities in the Siemens Cerberus PRO UL and Desigo Fire Safety UL products.

RUGGEDCOM Advisory #1 - This advisory discusses two vulnerabilities in the Siemens RUGGEDCOM APE1808 products.

RUGGEDCOM Advisory #2 - This advisory describes nine vulnerabilities in the Siemens RUGGEDCOM CROSSBOW product.

Solid Edge Advisory - This advisory describes eight vulnerabilities in the Siemens Solid Edge products.

PS/IGES Advisory - This advisory describes 11 vulnerabilities in the Siemens PS/IGES Parasolid Translator Component.

SIMATIC Advisory #1 - This advisory discusses 21 vulnerabilities (three with known exploits) in the Siemens SIMATIC RTLS Locating Manager.

SIMATIC Advisory #2 - This advisory describes three vulnerabilities in the Siemens SIMATIC CN 4100.

SIMCENTER Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Siemens Simcenter Nastran finite element analysis program.

Polarian Advisory - This advisory describes an improper access control vulnerability in the Siemens Polarion ALM application lifecycle management software.

Teamcenter Advisory - This advisory describes two vulnerabilities in the Siemens JT2Go and Teamcenter Visualization products.

SICAM Advisory - This advisory describes three vulnerabilities in multiple Siemens SICAM products.

Parasolid Advisory - This advisory describes three vulnerabilities in the Siemens Parasolid design and simulation product.

Updates

GE Healthcare Update - This update provides additional information on the Ultrasound Products advisory that was originally published on February 18^th, 2020.

Mitsubishi Update #1 - This update provides additional information on the MELSEC-Q/L Series advisory that was originally published on March 14^th, 2024.

Mitsubishi Update #2 - This update provides additional information on the MELSEC iQ-R Series Safety CPU that was originally published on February 13^th, 2024.

 

For more information on these advisories, including links to 3^rd party advisories, vendor advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-and-3-updates-published - subscription required.