Bulletins | CERT@VDE

Siemens SCALANCE Family Products

Title

Siemens SCALANCE Family Products

Published

Nov. 16, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-08

Summary

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY ...

Siemens Mendix Runtime

Title

Siemens Mendix Runtime

Published

Nov. 16, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-04

Summary

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-12

Siemens PNI

Title

Siemens PNI

Published

Nov. 16, 2023, 1 p.m.

URL

Summary

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01

Red Lion Sixnet RTUs

Title

Red Lion Sixnet RTUs

Published

Nov. 16, 2023, 1 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Red Lion Equipment: Sixnet RTU Vulnerabilities: Authentication Bypass using an Alternative Path or Channel, Exposed Dangerous Method or Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to execute commands with ...

Siemens OPC UA Modeling Editor (SiOME)

Title

Siemens OPC UA Modeling Editor (SiOME)

Published

Nov. 16, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-07

Summary

Siemens Mendix Studio Pro

Title

Siemens Mendix Studio Pro

Published

Nov. 16, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-11

Summary

Siemens Desigo CC product family

Title

Siemens Desigo CC product family

Published

Nov. 16, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-03

Summary

14.11.2023

AVEVA Operations Control Logger

Title

AVEVA Operations Control Logger

Published

Nov. 14, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: AVEVA Equipment: Operations Control Logger Vulnerabilities: Execution with Unnecessary Privileges, External Control of File Name or Path 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow privilege escalation or denial of service. 3. TECHNICAL DETAILS 3.1 ...

14.11.2023

Rockwell Automation SIS Workstation and ISaGRAF Workbench

Title

Rockwell Automation SIS Workstation and ISaGRAF Workbench

Published

Nov. 14, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: SIS Workstation and ISaGRAF Workbench Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unprivileged local users to overwrite files replacing them with malicious programs. 3. TECHNICAL DETAILS 3.1 ...

09.11.2023

https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-02

Hitachi Energy eSOMS

Title

Hitachi Energy eSOMS

Published

Nov. 9, 2023, 1 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: eSOMS Vulnerabilities: Generation of Error Message Containing Sensitive Information, Exposure of Sensitive System Information to an Unauthorized Control Sphere 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose ...

09.11.2023

Johnson Controls Quantum HD Unity

Title

Johnson Controls Quantum HD Unity

Published

Nov. 9, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable Remotely/Low attack complexity Vendor: Johnson Controls Inc. Equipment: Quantum HD Unity Vulnerability: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthorized user to access debug features that were accidentally exposed. 3. TECHNICAL DETAILS 3.1 ...

07.11.2023

https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-23

GE MiCOM S1 Agile

Title

GE MiCOM S1 Agile

Published

Nov. 7, 2023, 1 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Low attack complexity Vendor: General Electric Equipment: MiCOM S1 Agile Vulnerability: Uncontrolled Search Path Element 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to upload malicious files and achieve code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ...

Schneider Electric SpaceLogic C-Bus Toolkit

Title

Schneider Electric SpaceLogic C-Bus Toolkit

Published

Nov. 2, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-06

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: SpaceLogic C-Bus Toolkit Vulnerabilities: Improper Privilege Management, Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, which could result in tampering of the ...

Mitsubishi Electric MELSEC Series

Title

Mitsubishi Electric MELSEC Series

Published

Nov. 2, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC Series Vulnerability: Insufficient Verification of Data Authenticity 2. RISK EVALUATION Successful exploitation of this vulnerability may allow a remote attacker to reset the memory of the products to factory default state ...

Weintek EasyBuilder Pro

Title

Weintek EasyBuilder Pro

Published

Nov. 2, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Weintek Equipment: EasyBuilder Pro Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain remote control of a victim's computer as a privileged user. 3. TECHNICAL DETAILS ...

Franklin Fueling System TS-550

Title

Franklin Fueling System TS-550

Published

Nov. 2, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.3 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Franklin Fueling System Equipment: TS-550 Vulnerability: Use of Password Hash with Insufficient Computational Effort 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access the device and gain unauthenticated ...

Mitsubishi Electric MELSEC iQ-F Series CPU Module

Title

Mitsubishi Electric MELSEC iQ-F Series CPU Module

Published

Nov. 2, 2023, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Equipment: MELSEC iQ-F Series Vulnerability: Improper Restriction of Excessive Authentication Attempts 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to prevent legitimate users from logging into the web server function for a ...

October 2023

31.10.2023

https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-03

Zavio IP Camera

Title

Zavio IP Camera

Published

Oct. 31, 2023, 1 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Zavio Equipment: IP Camera Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer, OS Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote code execution. 3. TECHNICAL DETAILS 3.1 ...

Sielco Radio Link and Analog FM Transmitters

Title

Sielco Radio Link and Analog FM Transmitters

Published

Oct. 26, 2023, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Sielco Equipment: Analog FM Transmitters and Radio Link Vulnerabilities: Improper Access Control, Cross-Site Request Forgery, Privilege Defined with Unsafe Actions 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to ...

Rockwell Automation FactoryTalk View Site Edition

Title

Rockwell Automation FactoryTalk View Site Edition

Published

Oct. 26, 2023, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-05

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk View Site Edition Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could cause the product to become unavailable and require a restart to recover resulting in a denial-of-service ...

Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium

Title

Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium

Published

Oct. 26, 2023, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Ashlar-Vellum Equipment: Cobalt, Graphite, Xenon, Argon, Lithium, and Cobalt Share Vulnerabilities: Out-of-Bounds Write, Heap-based Buffer Overflow, Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS ...

Sielco PolyEco FM Transmitter

Title

Sielco PolyEco FM Transmitter

Published

Oct. 26, 2023, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Sielco Equipment: PolyEco1000 Vulnerabilities: Session Fixation, Improper Restriction of Excessive Authentication Attempts, Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, ...

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-01

Dingtian DT-R002

Title

Dingtian DT-R002

Published

Oct. 26, 2023, 2 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely/public exploits are available Vendor: Dingtian Equipment: DT-R002 Vulnerability: Authentication Bypass by Capture-Replay 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Dingtian DT-R002, ...

Centralite Pearl Thermostat

Title

Centralite Pearl Thermostat

Published

Oct. 26, 2023, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Centralite Equipment: Pearl Thermostat Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial of service on the affected ...

24.10.2023