Today, CISA’s NCCIC-ICS published five control system security advisories for products for Kastle Systems, MegaSys Computer Technologies, IDEC Corp, and Rockwell Automation. They also updated an advisory for products from Treck.
Advisories
Kastle Advisory -
This advisory
describes two vulnerabilities in the Kastle Access Control System.
MegaSys Advisory -
This advisory
describes an improper input validation vulnerability in the MegaSys Telenium
Online Web Application.
IDEC Advisory #1 -
This advisory
describes a cleartext storage of sensitive information vulnerability in the
IDEC WindLDR PLC and WindO/I-NV4 HMI.
IDEC Advisory #2 -
This advisory
describes two vulnerabilities in multiple PLCs from IDEC. The vulnerabilities
are self-reported.
Rockwell Advisory - This advisory describes an insufficient verification of data authenticity vulnerability in their RSLogix 5 and RSLogix 500 programming software.
Updates
Treck Update - This
update
provides additional information on the Treck Ripple20 advisory that was
originally published on June 16th, 202 and most recently updated on
March 17th, 2022.
For more information on these advisories and a
down-the-rabbit-hole look at CISA guidance for cloud applications, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-c52
- subscription required.
Posts
1 comment:
About the Rockwell advisory: on that vendor's publication for that vulnerability there is a reference to a JSON to help you automate the vulnerability handling, but the JSON refers to another vulnerability. Looks like the webpage is copy/pasted.
Post a Comment