. . .
top of page

CISA releases 28 Industrial Control Systems Advisories

8/11/2022 2:30 PM EDT


ICS-CERT released the following 28 advisories today, August 11, 2022. Click on the links below for more detailed information on these Industrial Control Systems vulnerabilities. Siemens Simcenter STAR-CCM+ This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in versions of Siemens Simcenter STAR-CCM+ products. Siemens Teamcenter This advisory contains mitigations for Command Injection and Infinite Loop vulnerabilities in versions of Siemens Teamcenter a product lifecycle management software. Schneider Electric EcoStruxure EcoStruxure Process Expert SCADAPack RemoteConnect for x70 This advisory contains mitigations for Heap-based Buffer Overflow, Wrap or Wraparound, Classic Buffer Overflow, and Out-of-bounds Write vulnerabilities in products using AT&T Labs Compressor (XMill). Emerson ROC800, ROC800L and DL8000 This advisory contains mitigations for an Insufficient Verification of Data Authenticity vulnerability in versions of ROC800, a remote automation controller. Siemens SICAM A8000 Web Server Module This advisory contains mitigations for an Improper Access Control vulnerability in versions of SICAM A8000 Web Server Module products. Siemens SICAM TOOLBOX II This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in versions of SICAM TOOLBOX II, a control and monitoring system. Siemens SCALANCE This advisory contains mitigations for Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), Allocation of Resources Without Limits or Throttling, and Basic Cross Site Scripting vulnerabilities in versions of SCALANCE products. Siemens SIMATIC S7-400 (Update A) This updated advisory is a follow-up to the advisory update titled ICSA-21-104-12 Siemens SIMATIC S7-400 that was published April 14, 2022, to the ICS webpage on www.cisa.gov/ics. This advisory contains mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in versions of Siemens SIMATIC S7-400 products. Siemens Industrial Products Intel CPUs (Update E) This updated advisory is a follow-up to the advisory update titled ICSA-21-222-05 Siemens Industrial Products Intel CPU (Update D) that was published July 14, 2022, to the ICS webpage on www.cisa.gov/ics. This advisory contains mitigations for a Missing Encryption of Sensitive Data vulnerability in versions of Siemens Industrial Products Intel CPUs. ICSA-21-194-07 Siemens Industrial Products LLDP (Update C) This updated advisory is a follow-up to the original advisory titled ICSA-21-194-07 Siemens Industrial Products LLDP (Update B) that was published August 10, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Classic Buffer Overflow and Uncontrolled Resource Consumption vulnerabilities in versions of Siemens Industrial Products (LLDP). Siemens Linux-based Products (Update I) This updated advisory is a follow-up to the advisory update titled ICSA-21-131-03 Siemens Linux-based Products (Update H) that was published June 16, 2022, to the ICS webpage at www.cisa.gov/ics. This advisory contains mitigations for a Use of Insufficiently Random Values vulnerability in versions of Siemens Linux-based products. Siemens Datalogics File Parsing Vulnerability (Update A) This updated advisory is a follow-up to the original advisory titled ICSA-22-195-07 Siemens Datalogics file Parsing Vulnerability that was published July 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Heap-based buffer Overflow vulnerability in versions of Siemens Teamcenter Visualization and JTGgo products. Siemens S7-400 CPUs (Update B) This updated advisory is a follow-up to the advisory update titled ICSA-18-317-02 Siemens S7-400 CPUs (Update A) that was published May 14, 2019, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Improper Input Validation vulnerability in versions of SIMATIC S7-400 products. Siemens SIMATIC Software Products (Update B) This updated advisory is a follow-up to the advisory update titled ICSA-21-194-06 Siemens SIMATIC Software Products (Update A) that was published September 14, 2021 to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in versions of Siemens SIMATIC software products. Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B) This updated advisory is a follow-up to the original advisory titled ICSA-19-344-06 Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update A) that was published March 10, 2020, on the ICS webpage on us-cert.gov. This advisory contains mitigations for Use of a Broken or Risky Cryptographic Algorithm and Missing Support for Integrity Check vulnerabilities in versions of SIMATIC products. Baxter Sigma Spectrum Infusion Pumps (Update B) This updated advisory is a follow-up to the original advisory titled ICSA-20-170-04 Sigma Spectrum Infusion Pumps (Update A) that was published June 23, 2020, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Incorrect Permission Assignment for Critical Resource, and Operation on a Resource After Expiration or Release vulnerabilities in versions of Sigma Spectrum Infusion systems. Siemens Industrial Products with OPC UA (Update H) This updated advisory is a follow-up to the updated advisory titled ICSA-19-099-03 Siemens Industrial Products with OPC UA (Update G) that was posted April 14, 2022, on the ICS webpage on www.cisa.gov/ics. This advisory contains mitigations for an Uncaught Exception vulnerability in versions of Siemens industrial products with OPC UA. Siemens PROFINET Stack Integrated on Interniche Stack (Update C) This updated advisory is a follow-up to the original advisory titled ICSA-22-104-06 Siemens PROFINET Stack Integrated on Interniche Stack (Update B) that was published July 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in versions of Siemens PROFINET Stack Integrated on Interniche Stack products. Siemens TIA Portal (Update F) This updated advisory is a follow-up to the advisory update titled ICSA-20-014-05 Siemens TIA Portal (Update E) that was published June 16, 2022, on the ICS webpage at cisa.gov/ics. This advisory contains mitigations for a Path Traversal vulnerability in versions of TIA Portal, the Totally Integrated Automation Portal. Siemens Teamcenter (Update A) This updated advisory is a follow-up to the original advisory titled ICSA-22-167-13 Siemens Teamcenter that was published June 16, 2022, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in versions of Teamcenter, a product lifecycle management software. Siemens Industrial Devices using libcurl (Update B) This updated advisory is a follow-up to the original advisory titled ICSA-22-132-13 Siemens Industrial Devices using libcurl (Update A) that was published June 16, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Use After Free vulnerability in versions of Siemens Industrial Devices using libcurl. Siemens SIMATIC WinCC and PCS (Update C) This updated advisory is a follow-up to the advisory update titled ICSA-22-041-02 Siemens SIMATIC WinCC and PCS (Update B) that was published May 12, 2022, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Exposure of Sensitive Information to an Unauthorized Actor and Insertion of Sensitive Information into Externally Accessible File or Directory vulnerabilities in versions of SIMATIC products. Siemens Teamcenter (Update B) This updated advisory is a follow-up to the original advisory titled ICSA-22-132-16 Siemens Teamcenter (Update A) that was published June 16, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Stack-based Buffer Overflow and Improper Restriction of XML External Entity Reference vulnerabilities in versions of Teamcenter, a product lifecycle management software. Siemens Industrial Products (Update B) This updated advisory is a follow-up to the original advisory titled ICSA-22-132-12 Siemens Industrial Products (Update A) that was published Jul 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in versions of the OPC Foundation Local Discovery Server of Siemens industrial products. Siemens OpenSSL Vulnerabilities in Industrial Products (Update B) This updated advisory is a follow-up to the original advisory titled ICSA-22-104-05 Siemens OpenSSL Vulnerabilities in Industrial Products (Update A) that was published May 12, 2022, on the ICS webpage at cisa.gov/ics. This advisory contains mitigations for a NULL Pointer Dereference vulnerability in versions of Siemens industrial products. Siemens RUGGEDCOM ROS (Update A) This updated advisory is a follow-up to the original advisory titled ICSA-22-195-18 Siemens RUGGEDCOM ROS that was published July 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Improper Control of Generation of Code vulnerability in versions of RUGGEDCOM ROS-based devices. Siemens Simcenter Femap and Parasolid (Update A) This updated advisory is a follow-up to the original advisory titled ICSA-22-195-09 Simcenter Femap and Parasolid that was published July 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Out-of-bounds Read vulnerability in versions of Simcenter Femap, an advanced simulation application, and Parasolid, a 3D geometric modeling tool. Siemens SRCS VPN Feature in SIMATIC CP Devices (Update A) This updated advisory is a follow-up to the original advisory titled ICSA-22-195-12 Siemens SRCS VPN Feature in SIMATIC CP Devices that was published July 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Heap-based Buffer Overflow, Command Injection, and Code Injection vulnerabilities in versions of SIMATIC CP Devices, communication processors



Comments


bottom of page