Bulletins | CERT@VDE

Schneider Electric EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70

Titel

Schneider Electric EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70

Veröffentlicht

11. August 2022 16:50

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-223-03

Text

This advisory contains mitigations for Heap-based Buffer Overflow, Wrap or Wraparound, Classic Buffer Overflow, and Out-of-bounds Write vulnerabilities in products using AT&T Labs Compressor (XMill) and Decompressor (XDemill).

Emerson ROC800, ROC800L and DL8000

Titel

Emerson ROC800, ROC800L and DL8000

Veröffentlicht

11. August 2022 16:48

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-223-04

Text

This advisory contains mitigations for an Insufficient Verification of Data Authenticity vulnerability in versions of ROC800, a remote automation controller.

Siemens SICAM A8000 Web Server Module

Titel

Siemens SICAM A8000 Web Server Module

Veröffentlicht

11. August 2022 16:46

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-223-05

Text

This advisory contains mitigations for an Improper Access Control vulnerability in versions of SICAM A8000 Web Server Module products.

Siemens SICAM TOOLBOX II

Titel

Siemens SICAM TOOLBOX II

Veröffentlicht

11. August 2022 16:44

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-223-06

Text

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in versions of SICAM TOOLBOX II, a control and monitoring system.

Siemens SIMATIC S7-400 (Update A)

Titel

Siemens SIMATIC S7-400 (Update A)

Veröffentlicht

11. August 2022 16:40

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-104-12

Text

This updated advisory is a follow-up to the advisory update titled ICSA-21-104-12 Siemens SIMATIC S7-400 that was published April 14, 2022, to the ICS webpage on www.cisa.gov/ics. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens SIMATIC S7-400.

Siemens Industrial Products Intel CPUs (Update E)

Titel

Siemens Industrial Products Intel CPUs (Update E)

Veröffentlicht

11. August 2022 16:38

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-222-05

Text

This updated advisory is a follow-up to the advisory update titled ICSA-21-222-05 Siemens Industrial Products Intel CPU (Update D) that was published July 14, 2022, to the ICS webpage on www.cisa.gov/ics. This advisory contains mitigations for a Missing Encryption of Sensitive Data vulnerability in versions of Siemens Industrial Products Intel ...

Siemens Industrial Products LLDP (Update C)

Titel

Siemens Industrial Products LLDP (Update C)

Veröffentlicht

11. August 2022 16:36

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07

Text

This updated advisory is a follow-up to the original advisory titled ICSA-21-194-07 Siemens Industrial Products LLDP (Update B) that was published August 10, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Classic Buffer Overflow and Uncontrolled Resource Consumption vulnerabilities in versions of Siemens Industrial Products (LLDP).

SafeLogic Designer vulnerabilities

BOSCH PSIRT

Titel

SafeLogic Designer vulnerabilities

Veröffentlicht

11. August 2022 02:00

URL

https://psirt.bosch.com/security-advisories/bosch-sa-463993.html

Text

BOSCH-SA-463993: The SafeLogic Designer from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin regarding a vulnerability in the .NET framework. \[1\]A vulnerability in a .NET framework class used by SafeLogic Designer allows an attacker to craft malicious project files. Opening/importing such a malicious project ...

Mitsubishi Electric GT SoftGOT2000

Titel

Mitsubishi Electric GT SoftGOT2000

Veröffentlicht

9. August 2022 16:15

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-221-01

Text

This advisory contains mitigations for Infinite Loop and OS Command Injection vulnerabilities in versions of Mitsubishi Electric GT SoftGOT2000 software.

https://us-cert.cisa.gov/ics/advisories/icsa-22-221-02

Emerson ControlWave

Titel

Emerson ControlWave

Veröffentlicht

9. August 2022 16:10

URL

Text

This advisory contains mitigations for an Insufficient Verification of Data Authenticity vulnerabilities in Emerson ControlWave products, a programmable controller.

https://us-cert.cisa.gov/ics/advisories/icsa-22-221-03

Emerson OpenBSI

Titel

Emerson OpenBSI

Veröffentlicht

9. August 2022 16:05

URL

Text

This advisory contains mitigations for Use of Broken or Risky Cryptographic Algorithm and Use of Hard-coded Cryptographic Key vulnerabilities in Emerson OpenBSI, a set of network communication services.

SSA-914168 V1.3 (Last Update: 2022-08-09): Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products

Titel

SSA-914168 V1.3 (Last Update: 2022-08-09): Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf

Text

Multiple vulnerabilities were found in SIMATIC WinCC that ultimately could allow attackers to retrieve and brute force password hashes and access other systems. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products ...

SSA-789162 V1.2 (Last Update: 2022-08-09): Vulnerabilities in Teamcenter

Titel

SSA-789162 V1.2 (Last Update: 2022-08-09): Vulnerabilities in Teamcenter

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-789162.pdf

Text

Teamcenter is affected by XML External Entity Injection (XXE, CVE-2022-29801) and a stack based buffer overflow vulnerability (CVE-2022-24290). XXE impacts only Teamcenter versions before V13.1. Siemens has released updates for the affected products and recommends to update to the latest versions.

SSA-285795 V1.2 (Last Update: 2022-08-09): Denial of Service in OPC-UA in Industrial Products

Titel

SSA-285795 V1.2 (Last Update: 2022-08-09): Denial of Service in OPC-UA in Industrial Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-285795.pdf

Text

A vulnerability in the underlying third party component OPC UA ANSIC Stack (also called Legacy C-Stack) affects several industrial products. The vulnerability could cause a crash of the component that includes the vulnerable part of the stack. Siemens has released updates for several affected products and recommends to update to ...

SSA-243317 V1.1 (Last Update: 2022-08-09): File Parsing Vulnerability in Simcenter Femap and Parasolid

Titel

SSA-243317 V1.1 (Last Update: 2022-08-09): File Parsing Vulnerability in Simcenter Femap and Parasolid

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-243317.pdf

Text

Simcenter Femap and Parasolid are affected by an out of bounds read vulnerability that could be triggered when the application reads files in NEU format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution ...

SSA-244969 V1.7 (Last Update: 2022-08-09): OpenSSL Vulnerability in Industrial Products

Titel

SSA-244969 V1.7 (Last Update: 2022-08-09): OpenSSL Vulnerability in Industrial Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf

Text

OpenSSL has published a security advisory [0] about a vulnerability in OpenSSL versions 1.1.1 < 1.1.1l and 1.0.2 < 1.0.2za that allows an attacker to cause a denial of service (DoS) or to disclose private memory content. Siemens has released updates for several affected products and recommends to update to ...

SSA-710008 V1.0: Multiple Web Vulnerabilities in SCALANCE Products

Titel

SSA-710008 V1.0: Multiple Web Vulnerabilities in SCALANCE Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-710008.pdf

Text

SCALANCE devices contain multiple vulnerabilities in MSPS based product lines that could allow authenticated remote attackers to execute custom code or create a XSS situation, as well as unauthenticated remote attackers to create a denial of service condition. Siemens has released updates for several affected products and recommends to update ...

SSA-661034 V1.2 (Last Update: 2022-08-09): Incorrect Permission Assignment in Multiple SIMATIC Software Products

Titel

SSA-661034 V1.2 (Last Update: 2022-08-09): Incorrect Permission Assignment in Multiple SIMATIC Software Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-661034.pdf

Text

Multiple SIMATIC software products are affected by a vulnerability that could allow an attacker to change the content of certain metafiles and subsequently manipulate parameters or behaviour of devices configured by the affected software products. Siemens has released updates for several affected products and recommends to update to the latest ...

SSA-309571 V1.5 (Last Update: 2022-08-09): IPU 2021.1 Vulnerabilities in Siemens Industrial Products using Intel CPUs (June 2021)

Titel

SSA-309571 V1.5 (Last Update: 2022-08-09): IPU 2021.1 Vulnerabilities in Siemens Industrial Products using Intel CPUs (June 2021)

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf

Text

Intel has published information on vulnerabilities in Intel products in June 2021. This advisory lists the related Siemens Industrial products affected by these vulnerabilities that can be patched by applying the corresponding BIOS update. In this advisory we summarize: “2021.1 IPU – Intel® CSME, SPS and LMS Advisory” Intel-SA-00459, “2021.1 ...

SSA-321292 V1.2 (Last Update: 2022-08-09): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial P...

Titel

SSA-321292 V1.2 (Last Update: 2022-08-09): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-321292.pdf

Text

A vulnerability has been identified in the OPC Foundation Local Discovery Server (LDS) [0] of several industrial products. The vulnerability could cause a denial of service condition on the service or the device. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens ...

SSA-772220 V2.1 (Last Update: 2022-08-09): OpenSSL Vulnerabilities in Industrial Products

Titel

SSA-772220 V2.1 (Last Update: 2022-08-09): OpenSSL Vulnerabilities in Industrial Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf

Text

OpenSSL has published a security advisory [0] about a vulnerability in OpenSSL versions 1.1.1 < 1.1.1k, that allows an unauthenticated attacker to cause a Denial-of-Service (DoS) if a maliciously crafted renegotiation message is sent . Siemens has released updates for several affected products and recommends to update to the latest ...

SSA-669737 V1.2 (Last Update: 2022-08-09): Improper Access Control Vulnerability in SICAM TOOLBOX II

Titel

SSA-669737 V1.2 (Last Update: 2022-08-09): Improper Access Control Vulnerability in SICAM TOOLBOX II

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-669737.pdf

Text

SICAM TOOLBOX II contains a vulnerability that could allow an attacker access through a circumventable access control. Siemens recommends countermeasures for products where updates are not, or not yet available.

SSA-307392 V1.9 (Last Update: 2022-08-09): Denial of Service in OPC UA in Industrial Products

Titel

SSA-307392 V1.9 (Last Update: 2022-08-09): Denial of Service in OPC UA in Industrial Products

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-307392.pdf

Text

A vulnerability has been identified in the OPC UA server of several industrial products. The vulnerability could cause a denial of service condition on the service or the device. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for ...

SSA-446448 V1.3 (Last Update: 2022-08-09): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack

Titel

SSA-446448 V1.3 (Last Update: 2022-08-09): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack

Veröffentlicht

9. August 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-446448.pdf

Text

The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further ...