Bulletins | CERT@VDE

Siemens Solid Edge SE2023

Titel

Siemens Solid Edge SE2023

Veröffentlicht

10. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-222-11

Text

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to crash the application or execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from ...

Siemens Parasolid and Teamcenter Visualization

Titel

Siemens Parasolid and Teamcenter Visualization

Veröffentlicht

10. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-222-06

Text

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Parasolid and Teamcenter Visualization Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Out-of-bounds Write, Allocation of Resources without Limits or Throttling 2. RISK EVALUATION An attacker could successfully exploit these vulnerabilities by tricking a user into opening a malicious ...

Siemens OpenSSL RSA Decryption in SIMATIC

Titel

Siemens OpenSSL RSA Decryption in SIMATIC

Veröffentlicht

10. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-222-09

Text

1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: SIMATIC, SIPLUS Vulnerability: Inadequate Encryption Strength 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to recover the product’s connection secret. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SIMATIC ...

Siemens RUGGEDCOM CROSSBOW

Titel

Siemens RUGGEDCOM CROSSBOW

Veröffentlicht

10. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-222-05

Text

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM CROSSBOW Vulnerabilities: Out-of-bounds Read, Improper Privilege Management, SQL Injection, Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary database queries via SQL injection attacks, ...

Siemens Solid Edge, JT2Go, and Teamcenter Visualization

Titel

Siemens Solid Edge, JT2Go, and Teamcenter Visualization

Veröffentlicht

10. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-222-01

Text

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge, JT2Go, and Teamcenter Visualization Vulnerabilities: Use After Free, Out-of-bounds Read, Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process. 3. ...

08.08.2023

Schneider Electric IGSS

Titel

Schneider Electric IGSS

Veröffentlicht

8. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-01

Text

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: low attack complexity Vendor: Schneider Electric Equipment: IGSS (Interactive Graphical SCADA System) Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability may allow arbitrary code execution or loss of control of the SCADA system. 3. TECHNICAL DETAILS 3.1 AFFECTED ...

08.08.2023

Hitachi Energy RTU500 series

Titel

Hitachi Energy RTU500 series

Veröffentlicht

8. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-02

Text

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 series Vulnerabilities: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause a buffer overflow and reboot of the product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports these vulnerabilities ...

TEL-STER TelWin SCADA WebInterface

Titel

TEL-STER TelWin SCADA WebInterface

Veröffentlicht

3. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-03

Text

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: TEL-STER Sp. z o. o. Equipment: TelWin SCADA WebInterface Vulnerability: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated attacker to read files on the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS TEL-STER ...

Mitsubishi Electric GT and GOT Series Products

Titel

Mitsubishi Electric GT and GOT Series Products

Veröffentlicht

3. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-02

Text

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: GT Designer3, GOT2000 Series, GOT SIMPLE Series, and GT SoftGOT2000 Vulnerability: Weak Encoding for Password 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain plaintext passwords by sniffing packets containing ...

Mitsubishi Electric GOT2000 and GOT SIMPLE

Titel

Mitsubishi Electric GOT2000 and GOT SIMPLE

Veröffentlicht

3. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-01

Text

1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely Vendor: Mitsubishi Electric Equipment: GOT2000 Series and GOT SIMPLE Series Vulnerability: Predictable Exact Value from Previous Values 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to hijack data connections or prevent legitimate users from establishing data connections. ...

Sensormatic Electronics VideoEdge

Titel

Sensormatic Electronics VideoEdge

Veröffentlicht

3. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-04

Text

1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Low attack complexity Vendor: Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc. Equipment: VideoEdge Vulnerability: Acceptance of Extraneous Untrusted Data with Trusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a local user to edit the VideoEdge configuration file ...

01.08.2023

APSystems Altenergy Power Control

Titel

APSystems Altenergy Power Control

Veröffentlicht

1. August 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01

Text

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely / low attack complexity / public exploits available Vendor: APSystems Equipment: Altenergy Power Control Vulnerability: OS Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability may allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ...

Juli 2023

ETIC Telecom RAS Authentication

Titel

ETIC Telecom RAS Authentication

Veröffentlicht

27. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01

Text

1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Exploitable with adjacent access/low attack complexity Vendor: ETIC Telecom Equipment: Remote Access Server (RAS) Vulnerability: Insecure Default Initialization of Resource 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to reconfigure the device or cause a denial-of-service condition. 3. TECHNICAL ...

https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-02

PTC KEPServerEX

Titel

PTC KEPServerEX

Veröffentlicht

27. Juli 2023 14:00

URL

Text

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: PTC Equipment: KEPServerEX Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could result in the affected device crashing. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of KEPServerEX, an industrial automation data concentrator ...

Mitsubishi Electric CNC Series (Update A)

Titel

Mitsubishi Electric CNC Series (Update A)

Veröffentlicht

27. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-03

Text

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: CNC Series devices Vulnerability: Classic Buffer Overflow 2. UPDATE OR REPOSTED INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-23-208-03 Mitsubishi Electric CNC Series that was published July 27, 2023, on ...

Mitsubishi Electric CNC Series

Titel

Mitsubishi Electric CNC Series

Veröffentlicht

27. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-03

Text

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: CNC Series devices Vulnerability: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a malicious remote attacker to cause a denial-of-service condition and execute malicious code on the product by sending ...

25.07.2023

Johnson Controls IQ Wifi 6

Titel

Johnson Controls IQ Wifi 6

Veröffentlicht

25. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-206-04

Text

1. EXECUTIVE SUMMARY CVSS v3 8.3 ATTENTION: Low attack complexity Vendor: Johnson Controls Inc. Equipment: IQ Wifi 6 Vulnerability: Improper Restriction of Excessive Authentication Attempts 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthorized user to gain account access by conducting a brute force authentication attack. 3. ...

25.07.2023

https://www.cisa.gov/news-events/ics-advisories/icsa-23-206-01

AXIS A1001

Titel

AXIS A1001

Veröffentlicht

25. Juli 2023 14:00

URL

Text

1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Exploitable from adjacent network Vendor: Axis Communications Equipment: AXIS A1001 Vulnerability: Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of AXIS A1001, a ...

25.07.2023

Emerson ROC800 Series RTU and DL8000 Preset Controller

Titel

Emerson ROC800 Series RTU and DL8000 Preset Controller

Veröffentlicht

25. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-206-03

Text

1. EXECUTIVE SUMMARY CVSS v3 9.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Emerson Equipment: ROC800-Series RTU; including ROC800, ROC800L, and DL8000 Preset Controllers Vulnerability: Authentication Bypass 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition or gain unauthorized access to data or ...

20.07.2023

Schneider Electric EcoStruxure Products, Modicon PLCs, and Programmable Automation Controllers

Titel

Schneider Electric EcoStruxure Products, Modicon PLCs, and Programmable Automation Controllers

Veröffentlicht

20. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-201-01

Text

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Products, Modicon PLCs, and Programmable Automation Controllers Vulnerabilities: Improper Check for Unusual or Exceptional Conditions 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker unauthorized access to components, ability to execute ...

Keysight N6845A Geolocation Server

Titel

Keysight N6845A Geolocation Server

Veröffentlicht

18. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02

Text

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Keysight Technologies Equipment: N6854A Geolocation Server Vulnerabilities: Exposed Dangerous Method or Function, Relative Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, execute arbitrary code, or cause a denial-of-service condition. 3. ...

https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04

Weintek Weincloud

Titel

Weintek Weincloud

Veröffentlicht

18. Juli 2023 14:00

URL

Text

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Weintek Equipment: Weincloud Vulnerabilities: Weak Password Recovery Mechanism for Forgotten Password, Improper Authentication, Improper Restriction of Excessive Authentication Attempts, Improper Handling of Structural Elements 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to utilize ...

https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05

GeoVision GV-ADR2701

Titel

GeoVision GV-ADR2701

Veröffentlicht

18. Juli 2023 14:00

URL

Text

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: GeoVision Equipment: GV-ADR2701 Vulnerabilities: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to log in to the camera’s web application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS GeoVision reports this ...

WellinTech KingHistorian

Titel

WellinTech KingHistorian

Veröffentlicht

18. Juli 2023 14:00

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-07

Text

1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: WellinTech Equipment: KingHistorian Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Signed to Unsigned Conversion Error 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or send ...