Review – 10 Advisories and 3 Updates Published – 7-10-25

Today CISA’s NCCIC-ICS published ten control system security advisories for products from AAR Railroad Electronics Standards, KUNBUS, Advantech, Delta Electronics, and Siemens (6). They also update advisories for products from IDEC Products, ECOVACS, and KUNBUS.

NOTE: Siemens published three other advisories on Tuesday. I will cover them in the Public ICS Disclosure blog post this weekend.

Advisories

AAR Advisory - This advisory describes a weak authentication vulnerability in the Association of American Railroads (AAR) End-of-Train and Head-of-Train remote linking protocol.

KUNBUS Advisory - This advisory describes an incorrect implementation of authentication algorithm vulnerability in the KUNBUS Revolution Pi OS and RevPi Webstatus.

Advantech Advisory - This advisory describes ten vulnerabilities in the Advantech iView product.

Delta Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Delta DTM Soft product.

SIPROTEC Advisory - This advisory describes a use of GET request method with sensitive query strings vulnerability in the Siemens SIPROTEC products.

TIA Advisory #1 - This advisory describes an upload of file with dangerous type vulnerability in the Siemens TIA Project-Server and TIA Portal products.

TIA Advisory #2 - This advisory describes two vulnerabilities in the Siemens TIA Administrator.

SIMATIC Advisory - This advisory describes an improper input validation vulnerability in the Siemens SIMATIC CN 4100 products.

Solid Edge Advisory - This advisory describes three vulnerabilities in the Siemens Solid Edge product.

SINEC Advisory - This advisory describes four vulnerabilities in the Siemens SINEC NMS products.

Updates

IDEC Update - This update provides additional information on the IDEC Products advisory that was originally published on September 19^th, 2024.

ECOVACS Update - This update provides additional information on the DEEBOT Vacuum and Base Station advisory that was originally published on May 15^th, 2025.

KUNBUS Update - This update provides additional information on the Revolution Pi advisory that was originally published on May 1^st, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/10-advisories-and-3-updates-published - subscription required.

Review – Public ICS Disclosures – Week of 5-3-25

This week we have a relatively light disclosure week with 11 vendor disclosures from Dell (5), Delta Electronics, Honeywell, HP (2), RT Labs, and Wiesemann & Theis. We also have 10vendor updates from FortiGurad (6), HPE, Moxa, and Omron (2). Finally we have three researcher reports for vulnerabilities in products from Kunbus, and libplctags (2).

Advisories

Dell Advisory #1 - Dell published an advisory that discusses 41 vulnerabilities in their Dell Networking OS10 product.

Dell Advisory #2 - Dell published an advisory that describes a use of hard-coded credentials vulnerability in their Dell Networking OS10 product.

Dell Advisory #3 - Dell published an advisory that discusses three vulnerabilities in their EMC Networking OS10 product.

Dell Advisory #4 - Dell published an advisory that discusses eleven vulnerabilities (three with publicly available exploits) in their Dell Wyse Management Suite product.

Dell Advisory #5 - Dell published an advisory that describes an OS command injection vulnerability in their Dell Networking OS10 product.

Delta Advisory - Delta published an advisory that describes four out-of-bounds write vulnerabilities in their CNCSoft product.

Honeywell Advisory - Honeywell published an advisory that describes an OS command injection vulnerability in the MB-Secure and MB-Secure PRO building security manager.

HP Advisory #1 - HP published an advisory that discusses an integer overflow or wrap around vulnerability (with a publicly available exploit) in their HP Universal Scan.

HP Advisory #2 - HP published an advisory that discusses three vulnerabilities in multiple HP product lines.

RT Labs Advisory - RT Labs published an advisory that describes 10 vulnerabilities in their P-Net Profinet stack.

Wiesemann Advisory - CERT-VDE published an advisory that describes a cross-site scripting vulnerability in multiple Wiesemann & Theis products.

Updates

FortiGuard Update #1 - FortiGuard published an update for their ipsec ike advisory that was originally published on January 14^th, 2025, and most recently updated on April 11^th, 2025.

FortiGuard Update #2 - FortiGuard published an update for their cross-site scripting advisory that was originally published on February 11^th, 2025.

FortiGuard Update #3 - FortiGuard published an update for their OS command injection advisory that was originally published on January 14^th, 2025.

FortiGuard Update #4 - FortiGuard published an update for their vm download feature advisory that was originally published on March 11^th, 2025.

FortiGuard Update #5 - FortiGuard published an update for their execute sensitive operations advisory that was originally published on May 14^th, 2024.

FortiGuard Update #6 - FortiGuard published an update for their device del feature advisory that was originally published on March 11^th, 2025.

HPE Update - HPE published an update for their ProLiant DL/XL Servers advisory that was originally published on March 10^th, 2025.

Moxa Update - Moxa published an update for their command injection advisory that was originally published on April 2^nd, 2025.

Omron Update #1 - Omron published an update for their NJ/NX-series Machine advisory that was originally published on January 14^th, 2025.

Omron Update #2 - Omron published an update for their CX-Programmer advisory that was originally published on April 22^nd, 2025.

Researcher Reports

Kunbus Report - Pen Test Partners published a report that describes four vulnerabilities in the Kunbus Revolution Pi industrial PLCs.

libplctags Report - Nozomi Networks published two reports that described individual vulnerabilities in the libplctags library.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-ebb - subscription required.

Review – 2 Advisories Published – 5-1-25

Today CISA’s NCCIC-ICS published a control system security advisory for products from KUNBUS and a medical device security advisory for products from MicroDicom.

Advisories

KUNBUS Advisory - This advisory describes four vulnerabilities in the KUNBUS Revolution Pi products.

MicroDicom Advisory - This advisory describes two vulnerabilities in the MicroDicom DICOM Viewer.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-5-1-25 - subscription required.

Review – Public ICS Disclosures – Week of 2-8-25 – Part 2

For Part 2 we have 28 additional vendor disclosures from HPE (15), Insyde, Kunbus, Palo Alto Networks (10), and Philips.

Advisories

HPE Advisory #1 - HPE published an advisory that discusses an incorrect execution-assigned permissions vulnerability in their Intel E810 Series Ethernet Controllers.

HPE Advisory #2 - HPE published an advisory that discusses an uncontrolled search path element vulnerability in their Ethernet Adapters.

HPE Advisory #3 - HPE published an advisory that discusses four vulnerabilities in their Unified OSS Console and HPE Unified OSS Assurance Monitoring software.

HPE Advisory #4 - HPE published an advisory that discusses three vulnerabilities in their StoreEasy Servers.

HPE Advisory #5 - HPE published an advisory that discusses three vulnerabilities in their ProLiant DL/ML/XL, Alletra, Edgeline and Synergy Servers.

HPE Advisory #6 - HPE published an advisory that discusses a sequence of processor instructions leads to unexpected behavior vulnerability in their StoreEasy Servers.

HPE Advisory #7 - HPE published an advisory that discusses an improper FMS in hardware logic vulnerability in their HPE StoreEasy Servers.

HPE Advisory #8 - HPE published an advisory that discusses an improper access control vulnerability in their StoreEasy Servers.

HPE Advisory #9 - HPE published an advisory that discusses an execution with unnecessary privileges vulnerability in their SimpliVity AMD Servers.

HPE Advisory #10 - HPE published an advisory that discusses two improper input validation vulnerabilities in their SimpliVity AMD Servers.

HPE Advisory #11 - HPE published an advisory that discusses an improper access control vulnerability in their ProLiant DL/ML, Alletra, Apollo, Edgeline, MicroServer and Synergy Servers.

HPE Advisory #12 - HPE published an advisory that discusses an improper FMS in hardware logic vulnerability in their ProLiant DL/ML, Alletra, Edgeline and Synergy Servers.

HPE Advisory #13 - HPE published an advisory that discusses a sequence of processor instructions leads to unexpected behavior vulnerability in their ProLiant DL/ML, Alletra, Edgeline and Synergy Servers.

HPE Advisory #14 - HPE published an advisory that discusses two improper input validation vulnerabilities in their ProLiant AMD Servers.

HPE Advisory #15 - HPE published an advisory that discusses an execution with unnecessary privileges vulnerability in their ProLiant AMD Servers.

Insyde Advisory - Insyde published an advisory that describes a potential memory leak vulnerability in their InsydeH2O product.

Kunbus Advisory - Incibe-CERT published an advisory that describes two vulnerabilities in the Kunbus Revolution Pi IIoT gateway.

Palo Alto Networks Advisory #1 - PAN published an advisory that describes an improper protection of alternate path vulnerability in their Cortex XDR Broker VM product.

Palo Alto Networks Advisory #2 - PAN published an advisory that discusses 32 vulnerabilities in their PAN-OS product. These are third-party vulnerabilities.

Palo Alto Networks Advisory #3 - PAN published an advisory that describes a configuration issue with their GlobalProtect Clientless VPN product.

Palo Alto Networks Advisory #4 - PAN published an advisory that discusses 20 vulnerabilities in their Prisma Access Browser.

Palo Alto Networks Advisory #5 - PAN published an advisory that discusses an HTTP request/response smuggling vulnerability with a publicly available exploit in their Cortex XDR Broker VM product.

Palo Alto Networks Advisory #6 - PAN published an advisory that describes an improper check for unusual or exceptional condition vulnerability in their Cortex XDR Agent.

Palo Alto Networks Advisory #7 - PAN published an advisory that describes an external control of file name or path vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #8 - PAN published an advisory that describes an OS command injection vulnerability in their PAN-OS OpenConfig Plugin.

Palo Alto Networks Advisory #9 - PAN published an advisory that describes an external control of file name or path vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #10 - PAN published an advisory that describes a missing authentication for critical function vulnerability in their PAN-OS product.

Philips Advisory - Philips published an advisory that discusses the Veeam man-in-the-middle vulnerability (CVE-2025-23114 not CVE-2025-231104 as reported by Philips).

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-3aa - subscription required.

Review – Public ICS Disclosures – Week of 3-23-24 – Part 2

For Part 2 we have eight additional vendor disclosures from SEL, SonicDICOM, Splunk (4), Watchguard, and Wireshark. There are also five vendor updates from ELECOM, Hitachi Energy (3), and HP. We also have three researcher reports for vulnerabilities in products from Hikvision, Kunbus, and Uniview. Finally, we have two exploits for products from Dell and Watchguard.

Advisories

SEL Advisory - SEL published a notification of a new version of their SEL-5813 Backup and Recovery Tool (BaRT) which includes a cybersecurity enhancement.

SonicDICOM Advisory - JP Cert published an advisory that discusses a use after free vulnerability in the SonicDICOM Media Viewer.

Splunk Advisory #1 - Splunk published an advisory that describes an insertion of sensitive information into log files vulnerability in the Debug Log in their Enterprise product.

Splunk Advisory #2 - Splunk published an advisory that describes an improper input validation vulnerability in the Dashboard Examples Hub of their Enterprise product.

Splunk Advisory #3 - Splunk published an advisory that discusses four vulnerabilities in their Enterprise product.

Splunk Advisory #4 - Splunk published an advisory that discusses two vulnerabilities in their Universal Forwarder product.

Watchguard Advisory - Watchguard published an advisory that describes a code injection vulnerability in their AuthPoint Password Manager extension for MacOS Safari.

Wireshark Advisory - Wireshark published an advisory that describes a mismatched memory management routines vulnerability in their T.38 dissector.

Updates

ELECOM Update - ELECOM published an update for their Wireless LAN routers advisory that was originally published on February 20^th, 2024.

Hitachi Energy Update #1 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on December 19^th, 2023 and most recently updated on February 27^th, 2024.

Hitachi Energy Update #2 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on November 28^th, 2023 and most recently updated on February 27^th, 2024.

Hitachi Energy Update #3 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on April 25^th, 2023 and most recently updated on February 27^th, 2024.

HP Update - HP published an update for their HP Trusted Platform Module advisory that was originally published on June 8^th, 2018.

Researcher Reports

Hikvision Report - IOActive published a report for a classic buffer overflow vulnerability in the Hikvision DS-7732NI-I4(B) network video recorder.

Kunbus Report - IOActive published a report of an off-by-one error vulnerability {that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog} in the Kunbus Revolution PI industrial PC.

Uniview Report - SSD-Disclosure published a report for an authentication bypass vulnerability in selected Uniview IP Cameras.

Exploits

Dell Exploit - Amirhossein Bahramizadeh published an exploit for an improper access control vulnerability in the Dell Security Management Server.

WatchGuard Exploit - Charles FOL published a Metasploit module for a buffer overflow vulnerability (that is on CISA’s KEV catalog) in the WatchGuard Firebox and XTM appliances.

 

For more information on these disclosures, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-ede - subscription required.

Review - Public ICS Disclosures – Week of 2-12-22 – Part 1

It is beginning to look like multipart reports are going to be the standard for this weekly update. This week in Part 1 we have 14 vendor disclosures from Aveva, Axis, Broadcom (2), WECON, HPE (6), Kunbus, Mitsubishi, and Moxa.

Aveva Advisory - Aveva published an advisory describing a use of clear text credential storage in their System Platform 2020.

Axis Advisory - Axis published an advisory describing a DLL hijacking vulnerability in their IP Utility.

Broadcom Advisory #1 - Broadcom published an advisory describing a use of hard-coded credentials vulnerability.

Broadcom Advisory #2 - Broadcom published an advisory describing an authenticated privilege file read vulnerability in their Fabric OS.

WECON Advisory - INCIBE-CERT published an advisory two vulnerabilities in the WECON LeviStudioU.

HPE Advisory #1 - HPE published an advisory describing a host header injection vulnerability in their Integrated Lights-Out 4.

HPE Advisory #2 - HPE published an advisory describing a buffer overflow vulnerability in their iLO Amplifier Pack.

HPE Advisory #3 - HPE published an advisory describing an information disclosure vulnerability in their Fibre Channel and SAN Switches.

HPE Advisory #4 - HPE published an advisory describing an authentication bypass vulnerability in their Fibre Channel and SAN Switches.

HPE Advisory #5 - HPE published an advisory discussing the Log4Shell vulnerabilities in their Universal IoT.

HPE Advisory #6 - HPE published an advisory describing a buffer overflow vulnerability in their Gen10 and Gen10 Plus Synergy Servers.

Kunbus Advisory - Kunbus published an advisory describing two vulnerabilities in their Revolution PI base modules.

Mitsubishi Advisory - Mitsubishi published an advisory describing nine vulnerabilities in their  Energy Saving Data Collecting Server (EcoWebServerIII).

Moxa Advisory - Moxa published an advisory describing a channel accessible by non-endpoint vulnerability in their MGate MB3170/MB3270/MB3280/MB3480 Series Protocol Gateways.

 

For more details on these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-346 - subscription required.

 

Review - Public ICS Disclosures – Week of 1-1-22 – Part 1

This was a relatively light week for ICS disclosures, but because of the continuing response to the  Log4Shell vulnerabilities, this will be a two part report.

This week we have ten vendor disclosures from Draeger, Hitachi, Kunbus, Moxa (2), QNAP (2), Texas Instruments, VMware, and Yokogawa. There was an update for an advisory for products from IDEC. There are also nine researcher reports for products from Siemens (8) and VMware. Finally, we have one exploit published for products from Siemens.

Draeger Advisory - Drager published an advisory discusses the use of the out-of-support TLS 1.0 and TLS 1.1.

Hitachi Advisory - Hitachi published an advisory discussing 27 vulnerabilities in their Disc Array Systems.

Kunbus Advisory - Kunbus published an advisory describing two vulnerabilities in their Revolution Pi base modules.

Moxa Advisory #1 - Moxa published an advisory discussing the DNSpooq vulnerabilities in their AWK-3131A/4131A/1137C/1131A Series of products.

Moxa Advisory #2 - Moxa published an advisory describing a memory leak vulnerability in their EDR-G903, EDR-G902, and EDR-810 Series Secure Routers.

QNAP Advisory #1 - QNAP published an advisory describing a code execution vulnerability in their NAS running QVPN Service product.

QNAP Advisory #2 - QNAP published an advisory describing cross-site scripting vulnerability in their TFTP Server.

TI Advisory - TI published an advisory discussing the BrakTooth vulnerabilities in their dual-mode Bluetooth products.

VMware Advisory - VMware published an advisory describing a heap overflow vulnerability in their Workstation, Fusion and ESXi products.

Yokogawa Advisory - Yokogawa published an advisory describing seven vulnerabilities in their CENTUM and Exaopc products.

IDEC Update - JPCERT published an update for their IDEC PLC advisory that was originally published on December 24^th, 2021.

Siemens Reports - The Zero Day Initiative published eight reports about vulnerabilities in the Siemens JT2Go products.

VMware Report - USD HeroLab published a report describing a hidden functionality vulnerability in the VMware Workspace ONE Intelligent Hub.

Siemens Exploit - RoseSecurity published an exploit for a denial of service vulnerability in the Siemens S7 Layer 2 product.

For more details about these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1 - subscription required.

One Advisory and One Update Published – 02-28-19

Today the DHS NCCIC-ICS published a control system security advisory for products from PSI GridConnect and an update for a previously published advisory for products from Kunbus.

PSI Advisory

This advisory describes a cross-site scripting vulnerability in the PSI Telecontrol Gateway, Smart Telecontrol Unit family,  and IEC104 Security Proxy. The vulnerability was reported by M. Can Kurnaz. PSI has a version that mitigates the vulnerability. There is no indication that Kurnaz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to execute dynamic scripts in the context of the application, which could allow cross-site scripting attacks.

Kunbus Update

This update provides additional information on an advisory that was originally published on February 5^th, 2019 and updated on February 7^th, 2019. The update provides a link to a new version that mitigates the vulnerabilities. There is no indication that the researcher involved was provided an opportunity to verify the efficacy of the fix.

Public ICS Disclosures – Week of 02-09-19

This week we have five vendor disclosures for products from Kunbus, Schneider (3) and Rockwell; five vendor updates from Siemens; one coordinated disclosure for products from Resource Data Management and one exploit for a previously disclosed vulnerability for products from AVEVA.

Kunbus Advisory

Kunbus published an advisory for five vulnerabilities in its KUNBUS-GW Modbus TCP PR100088 product. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus is working on an update to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Conditional authentication bypass;

• Missing authentication for critical function;

• Denial of service;

• Publication of information by parameter data in an HTTP GET request; and

• Plain text storage of passwords

Schneider Advisories

Schneider has published an advisory describing six vulnerabilities in its Sarix Enhanced and Spectra Enhanced cameras. The vulnerabilities were reported by Deng Yongkai (NSFOCUS) and Gjoko Krstic (Zero Science). Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• A permissions, privileges, and access control vulnerability - CVE-2018-7816;

• A command injection vulnerability (2) - CVE-2018-7825 and CVE-2018-7826;

• A cross-site scripting (XSS) vulnerability (2) - CVE-2018-7827 and CVE-2018-7828; and

• An improper neutralization of special elements in query vulnerability - CVE-2018-7829

Schneider has published an advisory describing a buffer error vulnerability in its Vijeo Designer Lite software. The vulnerability is self-reported. Schneider has provided generic mitigations as the product has reached end-of-life status.

Schneider has published an advisory describing three vulnerabilities in its  Modicon M221 and

SoMachine Basic products. The vulnerabilities were reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin), Florian Fischer (Hochschule Augsburg) and Reid Wightman (Dragos Inc.). Schneider has updates available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• An environment vulnerability (2) - CVE-2018-7821 and CVE-2018-7823; and

• An incorrect default permissions vulnerability - CVE-2018-7822

Rockwell Advisory

Rockwell has published an advisory describing two vulnerabilities in its PowerMonitor 1000 monitor that were publicly reported (with exploits) in December (here and here) by Luca Chiou. Rockwell has provided generic mitigation measures pending development of updates. It also provides a link to intrusion prevention system (by CheckPoint) rules to detect the cross-site scripting vulnerability.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass - CVE-2019-19616

 Siemens Updates

Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added updated affected version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller; and

• SIMATIC IPC547E

NOTE: NCCIC-ICS updated their alert (ICS-ALERT-18-011-01) for this vulnerability when Siemens added a new advisory. That technically included this update since the link provided in the alert goes to the latest version of the Siemens advisory.

Siemens published an update for their advisory on Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. They added updated version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller:

• SIMATIC ET 200 SP Open Controller (F);

• SIMATIC S7-1500 Software Controller;

• SIMATIC IPC547E;

• SIMATIC ITP1000;

• SIMATIC IPC3000 SMART V2;

• SIMATIC IPC347E;

• SIMATIC HMI Basic; and

• Panels 2nd Generation:

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;

• SIMATIC IPC277E;

• SIMATIC IPC327E; and

• SIMATIC IPC377E

NOTE: NCCIC-ICS is expected to update their advisory.

Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added two additional vulnerabilities to the list for these products:

• CVE-2018-1000876; and

• CVE-2018-16862

NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Siemens has published an update for their advisory on Denial-of-Service in SICAM A8000 Series. They updated the CVSS vector due to known exploit.

Siemens has published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They updated the affected version data and provided links to the mitigation measures for:

• SIMATIC IPC547E;

• SIMATIC IPC547G;

• SIMATIC ITP1000;

• SIMATIC IPC3000 SMART V2; and

• SIMATIC IPC347E

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;

• SIMATIC IPC277E;

• SIMATIC IPC327E; and

• SIMATIC IPC377E

NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Resource Data Management

Safety Detective published an article describing default credential vulnerabilities for commercial refrigeration systems from Resource Data Management. The article describes how the researchers were able to locate vulnerable systems, change settings, and manipulate controls in systems in hospitals and stores.

AVEVA Exploit

Jacob Baines published an exploit for vulnerabilities in the AVEVA InduSoft Web Studio. The vulnerabilities were reported by NCCIC-ICS earlier this month.

2 Advisories and 3 Updates Published – 02-07-19

Today the DHS NCCIC-ICS published two control system advisories for products from Siemens and three updates for products from Kunbus, Omron and Fuji electric.

EN100 Advisory

This advisory describes two improper input validation vulnerabilities in the Siemens EN100 Ethernet module. These vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens has provided updates for some of the affected products. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to conduct a denial-of-service attack over the network.

NOTE: I briefly discussed this update on January 12^th.

SICAM Advisory

This advisory describes an uncaught exception vulnerability in the Siemens SICAM A8000 RTU. The vulnerability was reported by Emanuel Duss and Nicolas Heiniger from Compass Security. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been offered an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthenticated remote users to cause a denial-of-service condition on the web server of affected products.

NOTE: I briefly discussed this update on January 12^th.

Siemens Update – There are two advisories from the January 8^th tranche of vulnerability disclosures from Siemens. It will be interesting to see if they are processed by NCCIC-ICS before the next scheduled Siemens advisory disclosures on February 12^th.

Kunbus Update

This update provides additional information on an advisory that was originally published on February 5^th, 2019. The update includes:

• Adding two additional vulnerabilities (Information exposure through query strings in get request and clear-text storage of sensitive information); and

• Report that the two added vulnerabilities will be mitigated in the next version (end of the month).

Omron Update

This update provides additional information on an advisory that was originally published on January 17^th, 2019. The update includes:

• Adding two additional vulnerabilities (access of uninitialized pointer and out-of-bounds read); and

• Added Michael DePlante as a vulnerability reporter;

Fuji Update

This update provides additional information on an advisory that was originally published on September 27^th, 2018. The updates reports that a new version is available that mitigates the vulnerability.

5 Advisories and 6 Updates Published – 02-05-19

Yesterday the DHS NCCIC-ICS published five control system advisories for products from Kunbus, Siemens, WECON, Rockwell and AVEVA. They also updated five previously published advisories for products from Siemens and updated a medical device security advisory for products from BD.

Kunbus Advisory 

This advisory describes three vulnerabilities in the Kunbus PR100088 Modbus gateway. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus has a new version that mitigates the vulnerability. There is no indication that Merle has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2019-6527;

• Missing authentication for critical function - CVE-2019-6533; and

• Improper input validation - CVE-2019-6529

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to achieve remote code execution and/or cause a denial-of-service condition.

Siemens Advisory 

This advisory describes two improper input validation vulnerabilities in the Siemens SIMATIC S7-1500 CPU. The vulnerabilities were reported by Georgy Zaytsev, Dmitry Sklyarov, Druzhinin Evgeny, Ilya Karpov, and Maxim Goryachy of Positive Technologies. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a denial of service condition of the device.

WECON Advisory 

This advisory describes three vulnerabilities in the WECON LeviStudioU product. The vulnerabilities were reported by Mat Powell, Ziad Badawi, and Natnael Samson via the Zero Day Initiative. WECON has an updated version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2019-6539;

• Stack-based buffer overflow - CVE-2019-6537; and

• Memory corruption - CVE-2019-6541

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow attackers to execute arbitrary code.

Rockwell Advisory 

This advisory describes an improper input validation vulnerability in the Rockwell EtherNet/IP Web Server Modules. The vulnerability was reported by Tenable. Rockwell has provided generic mitigations for the vulnerability. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote attacker to deny communication with Simple Network Management Protocol (SNMP) service.

AVEVA Advisory

This advisory describes two vulnerabilities in the AVEVA InduSoft Web Studio and InTouch Edge HMI products. The vulnerabilities were reported by Tenable. AVEVA has a new version that mitigates the vulnerability. AVEVA reports that Tenable has verified the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2019-6543; and

• Resource injection - CVE-2019-6545

NCCIC-ICS reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.

SIMATIC PCS7 Update 

This update provides additional information on an advisory that was originally published on March 29^th, 2018 and updated on April 24^th, 2018, June 12^th, 2018, November 14^th, 2018 and again on December 13^th, 2018. This update provides corrected version numbers and patch links for WinCC 7.2 and 7.4.

NOTE: I briefly discussed this update on January 12^th.

SIMATIC Update

This update provides additional information on an advisory that was originally published on March 20^th, 2018 and updated on October 9^th, 2018. This update provides corrected version numbers and patch links for SIMATIC S7-300 incl. F and T.

NOTE: I briefly discussed this update on January 12^th.

Industrial Products Update

This update provides additional information on an advisory that was that This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 May 15^th, 2018, September 11^th, 2018, October 9^th, 2018, November 13^th, 2018 and most recently on December 11^th, 2018. This update provides a link to an updated solution for SIMATIC S7-300.

NOTE: I briefly discussed this update on January 12^th.

Discovery Service Update 

This update provides additional information on an advisory that was originally published on 8-31-17 and updated on October 3^rd, 2017 and again on November 30^th, 2017. This update provides updated version information and provides a link to the fix for SIMATIC NET PC Software.

NOTE: I briefly discussed this update on January 12^th.

PROFINET Update

This update provides additional information on an advisory that was was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th,  November 28^th, 2017, January 18^th, 2018, January 25^th, 2018, January 27^th, 2018, March 6^th, 2018, May 3^rd, 2018, November 13^th, 2018 and most recently on December 11^th, 2018. This update provides corrected information for CP 1243-1.

NOTE: I briefly discussed this update on January 12^th.

BD Update

This update provides additional information on an advisory that was originally published on January 29^th, 2019. In the vulnerability overview section of the advisory this update changes the words “The application…” to “The system…”.

Commentary

On January 12^th, 2019 I reported on the five advisories and seven updates published by Siemens on December 8^th. To date NCCIC-ICS has only reported on one of the advisories and six of the updates. I do not expect to see an update on the final Siemens update as it is for the generic GNU/Linux vulnerabilities that is covered by an NCCIC-ICS alert. I am beginning to suspect that NCCIC-ICS will not be reporting on the remaining Siemens advisories. This may be because the vulnerability reports were not coordinated through NCCIC-ICS. Or it may be that NCCIC-ICS was understaffed during the recent Federal Funding Fiasco and has not yet had time to catch up with all of the vulnerability reporting that occurred during that time.

As I gradually expand the list of web sites that I scan weekly for my ‘Public ICS Disclosures’ blog post, it is becoming rather obvious that NCCIC-ICS is not a central clearing house for ICS vulnerability disclosures. That means that there is no central agency that is tracking (and more importantly reporting on) vulnerabilities in the ICS sphere. With the major ICS vendors this is probably not a major issue since they have relatively robust reporting systems of their own. But for the second and third tier of vendors, this is going to become a serious problem.

If/when Congress ever gets around to looking at the subject on control system security, one of the issues that they are going to have to look at (and hopefully rationally deal with) is the issue of vulnerability coordination and disclosure. When/if they do that, I would hope that they would consider codifying and expanding the role of NCCIC-ICS in that process. And, I believe, that part of that expansion should be establishing NCCIC-ICS as the public clearing house for vulnerability disclosure in the control system arena.