Review – 10 Advisories Published – 8-13-24

Today, CISA’s NCCIC-ICS published ten control system security advisories for products from Rockwell Automation (8), Ocean Data Systems, and AVEVA.

NOTE: The Ocean advisory also applies to an AVEVA product.

Advisories

ControlLogix Advisory #1 - This advisory describes an improper input validation vulnerability in the Rockwell ControlLogic, CompactLogic and GuardLogic products.

ControlLogix Advisory #2 - This advisory describes an improper input validation vulnerability in the Rockwell ControlLogic, CompactLogic and GuardLogic products.

ControlLogix Advisory #3 - This advisory describes an improper check for unusual or exceptional conditions vulnerable to in the Rockwell ControlLogix 5580, GuardLogix 5580 products.

Micro850/870 Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Rockwell Micro850/870 PLC’s.

FactoryTalk Advisory - This advisory describes an incorrect permission for critical function vulnerability in the Rockwell FactoryTalk View Site Edition.

DataMosaix Advisory - This advisory describes an improper authentication vulnerability in the Rockwell DataMosaix Private Cloud.

Pavilion8 Advisory - This advisory describes a missing encryption of sensitive data in the Rockwell Pavilion8 model predictive control software.

AADvance Advisory - This advisory discusses two vulnerabilities in the Rockwell AADvance Standalone OPC-DA Server.

Ocean Advisory - This advisory describes two vulnerabilities in the Ocean Dream Report, a report generating and delivery software, and the AVEVA Reports for Operations 2023 software.

AVEVA Advisory - This advisory describes an allocation of resources without limits or throttling vulnerability in the AVEVA SuiteLink Server.

 

For more information on these advisories, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/10-advisories-published-8-13-24 - subscription required.