Bulletins | CERT@VDE

SSA-736385 V1.0: Memory Corruption Vulnerability in OpenV2G

Titel

SSA-736385 V1.0: Memory Corruption Vulnerability in OpenV2G

Veröffentlicht

10. Mai 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-736385.pdf

Text

The open source software OpenV2G contains a buffer overflow vulnerability that could allow an attacker to trigger a memory corruption. Siemens has released an update for the OpenV2G and recommends to update to the latest version.

10.05.2022

SSA-732250 V1.0: Libcurl Vulnerabilities in Industrial Devices

Titel

SSA-732250 V1.0: Libcurl Vulnerabilities in Industrial Devices

Veröffentlicht

10. Mai 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf

Text

Vulnerabilities in third-party component cURL could allow an attacker to interfere with the affected products in various ways. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends countermeasures for products where updates are not, or not ...

10.05.2022

SSA-756638 V1.1 (Last Update: 2022-05-10): Vulnerabilities in Third-Party Component Mbed TLS of LOGO! CMR Family and SIMATIC RT...

Titel

SSA-756638 V1.1 (Last Update: 2022-05-10): Vulnerabilities in Third-Party Component Mbed TLS of LOGO! CMR Family and SIMATIC RTU 3000 Family

Veröffentlicht

10. Mai 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf

Text

Devices of the LOGO! CMR family and the SIMATIC RTU 3000 family are affected by several vulnerabilities in the third party component Mbed TLS. They could allow an attacker with access to any of the interfaces of an affected device to impact the availability or to communicate with invalid certificates. ...

03.05.2022

Yokogawa CENTUM and ProSafe-RS

Titel

Yokogawa CENTUM and ProSafe-RS

Veröffentlicht

3. Mai 2022 16:00

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-123-01

Text

This advisory contains mitigations for a OS Command Injection, Improper Authentication, NULL Pointer Dereference, Improper Input Validation, Resource Management Errors vulnerabilities in Yokogawa CENTUM and ProSafe-RS Distributed Control System and Safety Instrumented System products.

02.05.2022

Vulnerabilities in the communication protocol of the PLC runtime

Titel

Vulnerabilities in the communication protocol of the PLC runtime

Veröffentlicht

2. Mai 2022 02:00

URL

https://psirt.bosch.com/security-advisories/bosch-sa-577411.html

Text

BOSCH-SA-577411: The PLC application of the control systems ctrlX CORE, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contains PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published multiple security bulletins \[1\], \[2\], \[3\], \[4\], \[5\]. By exploiting the vulnerabilities in the protocol for the communication between the PLC ...

April 2022

AA22-117A: 2021 Top Routinely Exploited Vulnerabilities

US CERT

Titel

AA22-117A: 2021 Top Routinely Exploited Vulnerabilities

Veröffentlicht

27. April 2022 16:00

URL

https://us-cert.cisa.gov/ncas/alerts/aa22-117a

Text

Original release date: April 27, 2022SummaryThis joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre ...

SSA-254054 V1.1 (Last Update: 2022-04-27): Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impac...

Titel

SSA-254054 V1.1 (Last Update: 2022-04-27): Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products

Veröffentlicht

27. April 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf

Text

A vulnerability in Spring Framework was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2022-22965 and is also known as “Spring4Shell” or “SpringShell”. Siemens is currently investigating to determine which products are affected and is continuously updating this advisory as ...

Improper Control of Generation of Code in Bosch MATRIX

Titel

Improper Control of Generation of Code in Bosch MATRIX

Veröffentlicht

27. April 2022 02:00

URL

https://psirt.bosch.com/security-advisories/bosch-sa-309239-bt.html

Text

BOSCH-SA-309239-BT: The access control and time attendance management software Bosch MATRIX uses a version of the Java Spring Framework that is vulnerable to \"spring4shell\" (CVE-2022-22965). Bosch MATRIX does NOT use a configuration that is currently known to be exploitable using this vulnerability, but as the developers of Spring point out, ...

Vulnerability in routers FL MGUARD and TC MGUARD

Titel

Vulnerability in routers FL MGUARD and TC MGUARD

Veröffentlicht

27. April 2022 02:00

URL

https://psirt.bosch.com/security-advisories/bosch-sa-982696.html

Text

BOSCH-SA-982696: The FL MGUARD and TC MGUARD safety devices sold by Bosch Rexroth are devices from Phoenix Contact that have been introduced as trade goods. A security advisory has been published by the manufacturer, which indicates that devices are affected by a possible infinite loop within an OpenSSL library method ...

26.04.2022

Hitachi Energy System Data Manager

Titel

Hitachi Energy System Data Manager

Veröffentlicht

26. April 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-116-01

Text

This advisory contains mitigations for a Integer Overflow or Wraparound, Reachable Assertion, Type Confusion, Uncontrolled Recursion, and Observable Discrepancy vulnerabilities in Hitachi Energy System Data Manager products.

26.04.2022

Mitsubishi Electric MELSEC and MELIPC Series (Update B)

Titel

Mitsubishi Electric MELSEC and MELIPC Series (Update B)

Veröffentlicht

26. April 2022 16:00

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02

Text

This updated advisory is a follow up to the advisory update titled ICSA-21-334-02 Mitsubishi Electric MELSEC and MELIPC Series (Update A) that was published January 27, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input ...

21.04.2022

Delta Electronics ASDA-Soft

Titel

Delta Electronics ASDA-Soft

Veröffentlicht

21. April 2022 16:10

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-111-01

Text

This advisory contains mitigations for Out-of-bounds Write, and Out-of-bounds Read vulnerabilities in Delta Electronics ASDA-Soft servo software.

21.04.2022

Johnson Controls Metasys SCT Pro

Titel

Johnson Controls Metasys SCT Pro

Veröffentlicht

21. April 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-111-02

Text

This advisory contains mitigations for a Server-side Request Forgery vulnerability in Johnson Controls Metasys SCT Pro building automation software.

21.04.2022

Hitachi Energy MicroSCADA Pro/X SYS600

Titel

Hitachi Energy MicroSCADA Pro/X SYS600

Veröffentlicht

21. April 2022 16:00

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-111-03

Text

This advisory contains mitigations for Observable Discrepancy, HTTP Request Smuggling, Classic Buffer Overflow, Improper Certificate Validation, Improper Restriction of Operations within the Bounds of a Memory Buffer, and Exposure of Sensitive Information to an Unauthorized Actor vulnerabilities in the Hitachi Energy MicroSCADA Pro/X SYS600 SCADA product.

20.04.2022

US CERT

AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

Titel

AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

Veröffentlicht

20. April 2022 19:00

URL

https://us-cert.cisa.gov/ncas/alerts/aa22-110a

Text

Original release date: April 20, 2022SummaryActions critical infrastructure organizations should implement to immediately protect against Russian state-sponsored and criminal cyber threats: • Patch all systems. Prioritize patching known exploited vulnerabilities. • Enforce multifactor authentication. • Secure and monitor Remote Desktop Protocol and other risky services. • Provide end-user awareness and ...

20.04.2022

Multiple ctrlX CORE vulnerabilities

Titel

Multiple ctrlX CORE vulnerabilities

Veröffentlicht

20. April 2022 02:00

URL

https://psirt.bosch.com/security-advisories/bosch-sa-029150.html

Text

BOSCH-SA-029150: The base operating system app core20, which is part of ctrlX CORE XCR (base system apps), includes vulnerable versions of expat, libc and OpenSSL. Furthermore, multiple ctrlX CORE apps use at least one of the libraries shipped with core20. An attacker might be able to escalate privileges, gain system ...

Interlogix Hills ComNav

Titel

Interlogix Hills ComNav

Veröffentlicht

19. April 2022 16:25

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-01

Text

This advisory contains mitigations for Improper Restriction of Excessive Authentication Attempts, and Inadequate Encryption Strength vulnerability in Interlogix Hills ComNav remote access integration modules.

Automated Logic WebCTRL

Titel

Automated Logic WebCTRL

Veröffentlicht

19. April 2022 16:20

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-02

Text

This advisory contains mitigations for n Open Redirect vulnerability inAutomated Logic WebCTRL building automation software.

FANUC ROBOGUIDE Simulation Platform

Titel

FANUC ROBOGUIDE Simulation Platform

Veröffentlicht

19. April 2022 16:15

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-03

Text

This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource, Improper Access Control, Path Traversal, Improper Restriction of XML External Entity Reference, and Uncontrolled Resource Consumption vulnerabilities in FANUC ROBOGUIDE simulation software for FANUC robots.

Elcomplus SmartPTT SCADA

Titel

Elcomplus SmartPTT SCADA

Veröffentlicht

19. April 2022 16:10

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04

Text

This advisory contains mitigations for Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Authorization, and Cross-site Scripting vulnerabilities in Elcomplus SmartPTT SCADA voice and data dispatch software.

Elcomplus SmartPPT SCADA

Titel

Elcomplus SmartPPT SCADA

Veröffentlicht

19. April 2022 16:10

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04

Text

Elcomplus SmartPTT SCADA Server

Titel

Elcomplus SmartPTT SCADA Server

Veröffentlicht

19. April 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05

Text

This advisory contains mitigations for Cross-site Scripting, Unauthorized Exposure to Sensitive Information, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Cross-site Request Forgery vulnerabilities in the Elcomplus SmartPTT SCADA Server voice and data dispatch software.

Elcomplus SmartPPT SCADA Server

Titel

Elcomplus SmartPPT SCADA Server

Veröffentlicht

19. April 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05

Text

Multiple RTOS (Update E)

Titel

Multiple RTOS (Update E)

Veröffentlicht

19. April 2022 16:00

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04

Text

This updated advisory is a follow-up to the advisory update titled ICSA-21-119-04 Multiple RTOS (Update D) that was published November 30, 2021, to the ICS webpage on www.cisa.gov/uscert. CISA is aware of a public report, known as “BadAlloc” that details vulnerabilities found in multiple real-time operating systems (RTOS) and supporting ...