Review – 21 Advisories Published 10-10-24

Welcome to Cyber Thursday.

Today CISA published 21 advisories for control system security advisories for products from Delta Electronics, Rockwell Automation (6), Schneider Electric, and Siemens (13). Schneider published 7 additional advisories on Tuesday as well as one update. Siemens published 18 updates on Tuesday, but CISA is no longer covering the Siemens updates. I will cover all of them this weekend.

Advisories

Delta Advisory - This advisory describes five vulnerabilities in the Delta CNCSoft-G2 HMI.

ControlLogix Advisory - This advisory describes an improper input validation vulnerability in multiple Rockwell ControlLogix products.

PowerFlex Advisory - This advisory describes an improper check for unusual or exceptional conditions vulnerability in the Rockwell PowerFlex 6000T.

Logix Controllers Advisory - This advisory describes an uncontrolled resource consumption vulnerability in multiple Rockwell Logix Controllers.

Verve Asset Manager - This advisory describes a placement of users into incorrect group vulnerability in the Rockwell Verve Asset Manager.

DataMosaic Advisory #1 - This advisory discusses six vulnerabilities (two with available exploits) in the Rockwell DataMosaix Private Cloud.

DataMosaic Advisory #2 - This advisory describes three vulnerabilities in the Rockwell DataMosaix Private Cloud.

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider Zelio Soft 2 product.

Tecnomatix Advisory - This advisory describes 14 vulnerabilities in the Siemens Tecnomatix Plant Simulation product.

Sentron Powercenter Advisory - This advisory discusses an improper check for unusual or exceptional conditions vulnerability in the Siemens Sentron Powercenter 1000.

Ruggedcom Advisory - This advisory discusses an incorrect authorization vulnerability in the Siemens RUGGEDCOM APE1808LNX.

SIMATIC S7-1500 Advisory #2 - This advisory describes an open redirect vulnerability in the Siemens SIMATIC S7-1500.

PSS SINCAL Advisory - This advisory discusses two improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens PSS SINCAL (if WibuKey dongles are used).

JT2Go Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Siemens JT2Go 3D viewing tool.

SINEC Security Monitor Advisory - This advisory describes four vulnerabilities in the Siemens SINEC Security Monitor.

QUESTA Advisory - This advisory describes three uncontrolled search path vulnerabilities in the Siemens Questa and ModelSim products.

SENTRON PAC3200 Advisory - This advisory describes an improper authentication vulnerability in the Siemens SENTRON PAC3200 devices.

Teamcenter Visualization Advisory - This advisory describes two vulnerabilities in the Teamcenter Visualization and JT2Go products.

 

For more information on these advisories, including links to 3rd party advisories, researcher reports, and exploits, as well as some brief commentary on unusual situations, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/21-advisories-published-10-10-24 - subscription required.