Bulletins | CERT@VDE

Simcenter Femap and Parasolid

Title

Simcenter Femap and Parasolid

Published

July 14, 2022, 4:42 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-195-09

Summary

This advisory contains mitigations for an Out-of-bounds Read vulnerability Simcenter Femap, an advanced simulation application, and Parasolid, a 3D geometric modeling tool.

14.07.2022

Siemens Mendix Applications

Title

Siemens Mendix Applications

Published

July 14, 2022, 4:40 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-195-10

Summary

This advisory contains mitigations for an Out-of-bounds Read vulnerability in Siemens Mendix Applications, a high productivity app platform.

12.07.2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01

Dahua ASI7213X-T1

Title

Dahua ASI7213X-T1

Published

July 12, 2022, 4:05 p.m.

URL

Summary

This advisory contains mitigations for Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Authentication Bypass by Capture-replay, Generation of Error Message Containing Sensitive Information vulnerabilities in the Dahua ASI7213X-T1 facial recognition access controller.

12.07.2022

Schneider Electric Easergy P5 and P3 (Update A)

Title

Schneider Electric Easergy P5 and P3 (Update A)

Published

July 12, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03

Summary

This updated advisory is a follow-up to the original advisory titled ICSA-22-055-03 Schneider Electric Easergy P5 and P3 that was published February 24, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Use of Hard-coded Credentials, Classic Buffer Overflow, and Improper Input Validation vulnerabilities in Schneider Electric ...

07.07.2022

Bently Nevada ADAPT 3701/4X Series and 60M100

Title

Bently Nevada ADAPT 3701/4X Series and 60M100

Published

July 7, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02

Summary

1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Bently Nevada Equipment: 3701/4X series and 60M100 (3701/60) Condition Monitoring System Vulnerabilities: Use of Hard-coded Credentials, Missing Authentication for Critical Function CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational ...

07.07.2022

Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update B)

Title

Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update B)

Published

July 7, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-280-04

Summary

This updated advisory is a follow-up to the original advisory titled ICSA-21-280-04 Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update A) that was published October 28, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R Series ...

June 2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-181-01

Exemys RME1

Title

Exemys RME1

Published

June 30, 2022, 4:25 p.m.

URL

Summary

This advisory contains mitigations for an Improper Authentication vulnerability in the Exemys RME1 analog acquisition module.

Yokogawa Wide Area Communication Router

Title

Yokogawa Wide Area Communication Router

Published

June 30, 2022, 4:20 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-181-02

Summary

This advisory contains mitigations for a Use of Insufficiently Random Values vulnerability in the Yokogawa Wide Area Communication Router.

Emerson DeltaV Distributed Control System

Title

Emerson DeltaV Distributed Control System

Published

June 30, 2022, 4:15 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-181-03

Summary

This advisory contains mitigations for a Missing Authentication for Critical Function, Use of Hard-coded Credentials, Insufficient Verification of Data Authenticity, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in the Emerson DeltaV Distributed Control System software management platform.

Mitsubishi Electric FA Engineering Software (Update A)

Title

Mitsubishi Electric FA Engineering Software (Update A)

Published

June 30, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05

Summary

This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electric's FA Engineering Software products.

CODESYS Gateway Server (Update A)

Title

CODESYS Gateway Server (Update A)

Published

June 30, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02

Summary

This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products.

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-01

ABB e-Design

Title

ABB e-Design

Published

June 28, 2022, 4:25 p.m.

URL

Summary

This advisory contains mitigations for an Incorrect Default Permissions vulnerability in ABB e-Design engineering software.

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Title

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series

Published

June 28, 2022, 4:20 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02

Summary

This advisory contains mitigations for Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, and Plaintext Storage of a Password vulnerabilities in Omron SYSMAC CS/CJ/CP Series and NJ/NX Series programmable logic controllers.

Motorola Solutions MOSCAD IP and ACE IP Gateways

Title

Motorola Solutions MOSCAD IP and ACE IP Gateways

Published

June 28, 2022, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-04

Summary

This advisory contains mitigations for a missing authentication for critical function vulnerability in the Motorola Solutions MOSCAD IP and ACE IP Gateways products.

Motorola Solutions MDLC

Title

Motorola Solutions MDLC

Published

June 28, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-05

Summary

This advisory contains mitigations for Use of a Broken or Risky Cryptographic Algorithm, and Plaintext Storage of a Password vulnerabilities in the Motorola Solutions MDLC protocol parser.

Motorola Solutions ACE1000

Title

Motorola Solutions ACE1000

Published

June 28, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-179-06

Summary

This advisory contains mitigations for Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, and Insufficient Verification of Data Authenticity vulnerabilities in the Motorola Solutions ACE1000 remote terminal unit.

https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01

OFFIS DCMTK

Title

OFFIS DCMTK

Published

June 23, 2022, 4:25 p.m.

URL

Summary

This advisory contains mitigations for a path traversal, relative path traversal, NULL pointer reference vulnerability in DCMTK, an OFFIS product.

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01

Yokogawa STARDOM

Title

Yokogawa STARDOM

Published

June 23, 2022, 4:20 p.m.

URL

Summary

This advisory contains mitigations for Cleartext Transmission of Sensitive Information, and Use of Hard-coded Credentials vulnerabilities in the Yokogawa STARDOM network control system.

Yokogawa CAMS for HIS

Title

Yokogawa CAMS for HIS

Published

June 23, 2022, 4:15 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02

Summary

This advisory contains mitigations for a Violation of Secure Design Principles vulnerability in the Yokogawa Consolidation Alarm Management Software for Human Interface Station (CAMS for HIS).

Secheron SEPCOS Control and Protection Relay

Title

Secheron SEPCOS Control and Protection Relay

Published

June 23, 2022, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03

Summary

This advisory contains mitigations for Improper Enforcement of Behavioral Workflow, Lack of Administrator Control over Security, Improper Privilege Management, and Insufficiently Protected Credentials vulnerabilities in the Secheron SEPCOS Control and Protection Relay.

Pyramid Solutions EtherNet/IP Adapter Development Kit

Title

Pyramid Solutions EtherNet/IP Adapter Development Kit

Published

June 23, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04

Summary

This advisory contains mitigations for an Out-of-bounds Write vulnerability in the Pyramid Solutions EtherNet/IP Adapter Development Kit.

https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05

Elcomplus SmartICS

Title

Elcomplus SmartICS

Published

June 23, 2022, 4 p.m.

URL

Summary

This advisory contains mitigations for Improper Access Control, Relative Path Traversal, and Cross-site Scripting vulnerabilities in the Elcomplus SmartICS web-based HMI.

22.06.2022

Mitsubishi Electric MELSEC Q and L Series

Title

Mitsubishi Electric MELSEC Q and L Series

Published

June 22, 2022, 4:25 a.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-01

Summary

This advisory contains mitigations for an Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC Q and L Series CPUs.

21.06.2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02

JTEKT TOYOPUC

Title

JTEKT TOYOPUC

Published

June 21, 2022, 4:20 p.m.

URL

Summary

This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller.

21.06.2022