Review – 18 Advisories and 1 Update Published

Today, CISA’s NCCIC-ICS published 17 control system security advisories for products from 2N, Hitachi Energy, Rockwell (3) and Siemens (12). They also published a medical device security advisory for products from Baxter. Finally, they updated an advisory for products from Elvaco.

Control System Advisories

2N Advisory - This advisory describes three vulnerabilities in the 2N Access Commander IP access control system.

Rockwell Advisory #1 - This advisory describes an improper validation of specified quantity in input in the Rockwell Arena Input Analyzer.

Rockwell Advisory #2 - This advisory describes three vulnerabilities in the Rockwell FactoryTalk Updater.

Rockwell Advisory #3 - This advisory discusses a prototype pollution vulnerability in the Rockwell Verve Asset Manager.

Mendix Advisory - This advisory describes a race condition vulnerability in the Siemens Mendix Runtime.

SIMATIC CP Advisory - This advisory describes an incorrect authorization vulnerability in the Siemens SIMATIC CP1543-1.

TeleControl Server Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Siemens TeleControl Server.

Spectrum Power Advisory - This advisory describes an incorrect privilege assignment vulnerability in the Siemens Spectrum Power 7 product.

SINEC INS Advisory - This advisory discusses 59 vulnerabilities in the Siemens SINEC Infrastructure Network Services (INS) product.

Engineering Platforms Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Siemens Engineering Platforms.

SCALANCE Advisory - This advisory discusses 16 vulnerabilities in the Siemens SCALANCE M-800 Family.

SOLID Edge Advisory - This advisory describes three vulnerabilities in the Siemens Solid Edge SE2024.

SINEC NMS Advisory - This advisory discusses 17 vulnerabilities in the SINEC Network Management System (NMS) product.

OZW672 and OZW772 Web Server Advisory - This advisory describes a cross-site scripting vulnerability in the Siemens OZW672 and OZW772 web servers.

SIPORT Advisory - This advisory describes an incorrect permission vulnerability in the Siemens SIPORT product.

RUGGEDCOM Crossbow Advisory - This advisory discusses two vulnerabilities (both with publicly available exploit code) in the Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC).

Medical Device Advisory

Baxter Advisory - This advisory describes nine vulnerabilities (one with publicly available exploit code) in the Baxter Life2000 Ventilation System.

Update

Elvaco Update - This update provides additional information on the M-Bus Metering Gateway advisory that was originally published on October 17^th, 2024.

 

For more information on these advisories, including links to 3^rd party advisories, researcher reports and exploits, as well as a brief summary of the changes in the update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/18-advisories-and-1-update-published - subscription required.