Bulletins | CERT@VDE

CODESYS Gateway Server (Update A)

Titel

CODESYS Gateway Server (Update A)

Veröffentlicht

30. Juni 2022 16:00

URL

https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02

Text

This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products.

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-01

ABB e-Design

Titel

ABB e-Design

Veröffentlicht

28. Juni 2022 16:25

URL

Text

This advisory contains mitigations for an Incorrect Default Permissions vulnerability in ABB e-Design engineering software.

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Titel

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Veröffentlicht

28. Juni 2022 16:20

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02

Text

This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, and Plaintext Storage of a Password vulnerabilities in Omron SYSMAC CS/CJ/CP Series and NJ/NX Series programmable logic controllers.

Motorola Solutions MOSCAD IP and ACE IP Gateways

Titel

Motorola Solutions MOSCAD IP and ACE IP Gateways

Veröffentlicht

28. Juni 2022 16:10

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-04

Text

This advisory contains mitigations for a missing authentication for critical function vulnerability in the Motorola Solutions MOSCAD IP and ACE IP Gateways products.

Motorola Solutions MDLC

Titel

Motorola Solutions MDLC

Veröffentlicht

28. Juni 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-05

Text

This advisory contains mitigations for Use of a Broken or Risky Cryptographic Algorithm, and Plaintext Storage of a Password vulnerabilities in the Motorola Solutions MDLC protocol parser.

Motorola Solutions ACE1000

Titel

Motorola Solutions ACE1000

Veröffentlicht

28. Juni 2022 16:00

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-06

Text

This advisory contains mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit.

AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

US CERT

Titel

AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

Veröffentlicht

23. Juni 2022 19:00

URL

https://us-cert.cisa.gov/ncas/alerts/aa22-174a

Text

Original release date: June 23, 2022SummaryActions to take today: • Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised. ...

https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01

OFFIS DCMTK

Titel

OFFIS DCMTK

Veröffentlicht

23. Juni 2022 16:25

URL

Text

This advisory contains mitigations for a path traversal, relative path traversal, NULL pointer reference vulnerability in DCMTK, an OFFIS product.

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01

Yokogawa STARDOM

Titel

Yokogawa STARDOM

Veröffentlicht

23. Juni 2022 16:20

URL

Text

This advisory contains mitigations for Cleartext Transmission of Sensitive Information, and Use of Hard-coded Credentials vulnerabilities in the Yokogawa STARDOM network control system.

Yokogawa CAMS for HIS

Titel

Yokogawa CAMS for HIS

Veröffentlicht

23. Juni 2022 16:15

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02

Text

This advisory contains mitigations for a Violation of Secure Design Principles vulnerability in the Yokogawa Consolidation Alarm Management Software for Human Interface Station (CAMS for HIS).

Secheron SEPCOS Control and Protection Relay

Titel

Secheron SEPCOS Control and Protection Relay

Veröffentlicht

23. Juni 2022 16:10

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03

Text

This advisory contains mitigations for Improper Enforcement of Behavioral Workflow, Lack of Administrator Control over Security, Improper Privilege Management, and Insufficiently Protected Credentials vulnerabilities in the Secheron SEPCOS Control and Protection Relay.

Pyramid Solutions EtherNet/IP Adapter Development Kit

Titel

Pyramid Solutions EtherNet/IP Adapter Development Kit

Veröffentlicht

23. Juni 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04

Text

This advisory contains mitigations for an Out-of-bounds Write vulnerability in the Pyramid Solutions EtherNet/IP Adapter Development Kit.

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05

Elcomplus SmartICS

Titel

Elcomplus SmartICS

Veröffentlicht

23. Juni 2022 16:00

URL

Text

This advisory contains mitigations for Improper Access Control, Relative Path Traversal, and Cross-site Scripting vulnerabilities in the Elcomplus SmartICS web-based HMI.

22.06.2022

Mitsubishi Electric MELSEC Q and L Series

Titel

Mitsubishi Electric MELSEC Q and L Series

Veröffentlicht

22. Juni 2022 04:25

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-01

Text

This advisory contains mitigations for an Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC Q and L Series CPUs.

22.06.2022

BOSCH PSIRT

Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

Titel

Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch

Veröffentlicht

22. Juni 2022 02:00

URL

https://psirt.bosch.com/security-advisories/bosch-sa-247052-bt.html

Text

BOSCH-SA-247052-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch including an Improper Input Validation, an Improper Privilege Management and an Execution with Unnecessary Privileges vulnerability.These vulnerabilities can give root access and/or administrator privilege to the switch from the network.Customers are advised to upgrade to version 1.01.07 that solves vulnerabilities CVE-2022-32534, ...

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02

JTEKT TOYOPUC

Titel

JTEKT TOYOPUC

Veröffentlicht

21. Juni 2022 16:20

URL

Text

This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller.

Phoenix Contact Classic Line Controllers

Titel

Phoenix Contact Classic Line Controllers

Veröffentlicht

21. Juni 2022 16:15

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-03

Text

This advisory contains mitigations for an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact classic line controllers.

Phoenix Contact ProConOS and MULTIPROG

Titel

Phoenix Contact ProConOS and MULTIPROG

Veröffentlicht

21. Juni 2022 16:10

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-04

Text

This advisory contains mitigations for an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact ProConOS and MULTIPROG software development kit.

Phoenix Contact Classic Line Industrial Controllers

Titel

Phoenix Contact Classic Line Industrial Controllers

Veröffentlicht

21. Juni 2022 16:05

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-05

Text

This advisory contains mitigations for an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Industrial Controllers.

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-06

Siemens WinCC OA

Titel

Siemens WinCC OA

Veröffentlicht

21. Juni 2022 16:00

URL

Text

This advisory contains mitigations for a Use of Client-side Authentication vulnerability in the Siemens SIMATIC WinCC OA SCADA HMI system.

SSA-111512 V1.0: Client-side Authentication in SIMATIC WinCC OA

SIEMENS CERT

Titel

SSA-111512 V1.0: Client-side Authentication in SIMATIC WinCC OA

Veröffentlicht

21. Juni 2022 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-111512.pdf

Text

SIMATIC WinCC OA implements client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated. Siemens recommends to enable server-side authentication (SSA) or Kerberos authentication for all WinCC OA projects, as documented ...

17.06.2022

Hillrom Medical Device Management

Titel

Hillrom Medical Device Management

Veröffentlicht

17. Juni 2022 05:08

URL

https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01

Text

This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries.

17.06.2022

AutomationDirect C-More EA9 HMI

Titel

AutomationDirect C-More EA9 HMI

Veröffentlicht

17. Juni 2022 05:06

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01

Text

This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products.

16.06.2022

AutomationDirect DirectLOGIC with Serial Communication

Titel

AutomationDirect DirectLOGIC with Serial Communication

Veröffentlicht

16. Juni 2022 17:04

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02

Text

This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication.

16.06.2022