Bulletins | CERT@VDE

Siemens Climatix POL909

Title

Siemens Climatix POL909

Published

March 10, 2022, 5:25 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-069-07

Summary

This advisory contains mitigations for Cross-site Scripting, and Improper Access Control vulnerabilities in of Climatix POL909 AWM and AWB web modules.

10.03.2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-069-08

Siemens Polarion ALM

Title

Siemens Polarion ALM

Published

March 10, 2022, 5:20 p.m.

URL

Summary

This advisory contains mitigations for a Cross-site Scripting vulnerability in Siemens Siemens Polarion ALM management software.

10.03.2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-069-09

Siemens SINEC INS

Title

Siemens SINEC INS

Published

March 10, 2022, 5:15 p.m.

URL

Summary

This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in the Siemens SINECC INS web-based application.

08.03.2022

PTC Axeda agent and Axeda Desktop Server

Title

PTC Axeda agent and Axeda Desktop Server

Published

March 8, 2022, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-067-01

Summary

This advisory contains mitigations for Use of Hard-coded Credentials, Missing Authentication for Critical Function, Exposure of Sensitive Information to an Unauthorized Actor, Path Traversal, Improper Check or Handling of Exceptional Conditions vulnerabilities in Axeda agent and Axeda Desktop Server, a remote asset connectivity software used as part of a cloud ...

08.03.2022

AVEVA System Platform

Title

AVEVA System Platform

Published

March 8, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02

Summary

This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product.

08.03.2022

Sensormatic PowerManage (Update A)

Title

Sensormatic PowerManage (Update A)

Published

March 8, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01

Summary

This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform.

04.03.2022

Trailer Power Line Communications (PLC) J2497

Title

Trailer Power Line Communications (PLC) J2497

Published

March 4, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-063-01

Summary

This advisory contains mitigations for Missing Authentication for Critical Function, and Improper Protection against Electromagnetic Fault Injection vulnerabilities in Power Line Communications (PLC): J2497 (a.k.a. PLC4TRUCKS), a bidirectional, serial communications link over a vehicle power supply line.

03.03.2022

https://us-cert.cisa.gov/ics/advisories/icsma-22-062-02

BD Viper LT

Title

BD Viper LT

Published

March 3, 2022, 4:05 p.m.

URL

Summary

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the BD Viper LT automated molecular testing system.

03.03.2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01

IPCOMM ipDIO

Title

IPCOMM ipDIO

Published

March 3, 2022, 4 p.m.

URL

Summary

This advisory contains mitigations for a Cross-site Scripting, and Code Injection vulnerabilities in the IPCOMM ipDIO telecontrol communication device.

February 2022

FATEK Automation FvDesigner

Title

FATEK Automation FvDesigner

Published

Feb. 24, 2022, 4:15 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-055-01

Summary

This advisory contains mitigations for Stack-based Buffer Overflow, Out-of-bounds Write, and Out-of-bounds Read vulnerabilities in FATEK Automation FvDesigner HMI products.

Mitsubishi Electric EcoWebServerIII

Title

Mitsubishi Electric EcoWebServerIII

Published

Feb. 24, 2022, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-055-02

Summary

This advisory contains mitigations for Improper Neutralization of Input During Web Page Generation, Uncontrolled Resource Consumption, and Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerabilities in the Mitsubishi Electric EcoWebServerIII energy saving data collecting server.

Schneider Electric Easergy P5 and P3

Title

Schneider Electric Easergy P5 and P3

Published

Feb. 24, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03

Summary

This advisory contains mitigations for Use of Hard-coded Credentials, and Classic Buffer Overflow vulnerabilities in Schneider Electric Easergy P5 and P3 medium voltage protection relays.

Baker Hughes Bently Nevada 3500

Title

Baker Hughes Bently Nevada 3500

Published

Feb. 24, 2022, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-231-02

Summary

This advisory was originally posted to the HSIN ICS library on August 19, 2021, and is being released to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in the Bently Nevada 3500 machinery protection and monitoring systems.

22.02.2022

GE Proficy CIMPLICITY-IPM

Title

GE Proficy CIMPLICITY-IPM

Published

Feb. 22, 2022, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01

Summary

This advisory contains mitigations for an Improper Privilege Management vulnerability in GE Proficy CIMPLICITY, a HMI and SCADA platform.

22.02.2022

GE Proficy CIMPLICITY-Cleartext

Title

GE Proficy CIMPLICITY-Cleartext

Published

Feb. 22, 2022, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02

Summary

This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in GE Proficy CIMPLICITY, a HMI and SCADA platform.

22.02.2022

https://us-cert.cisa.gov/ics/advisories/icsa-22-053-03

WIN-911 2021

Title

WIN-911 2021

Published

Feb. 22, 2022, 4 p.m.

URL

Summary

This advisory contains mitigations for Incorrect Default Permissions vulnerabilities in WIN-911 2021 alarm notification platforms.

11.02.2022

Siemens Solid Edge, JT2Go, and Teamcenter Visualization

Title

Siemens Solid Edge, JT2Go, and Teamcenter Visualization

Published

Feb. 11, 2022, 4:55 a.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07-1

Summary

This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products.

Siemens SIMATIC Industrial Products

Title

Siemens SIMATIC Industrial Products

Published

Feb. 10, 2022, 5:25 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-01

Summary

This advisory contains mitigations for Operation on a Resource after Expiration or Release, and Missing Release of Memory after Effective Lifetime vulnerabilities in Siemens Industrial Products using the SIMATIC firmware platform.

Siemens SIMATIC WinCC and PCS

Title

Siemens SIMATIC WinCC and PCS

Published

Feb. 10, 2022, 5:20 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-02

Summary

This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Siemens SIMATIC WinCC and PCS industrial automation products.

SINEMA Remote Connect Server

Title

SINEMA Remote Connect Server

Published

Feb. 10, 2022, 5:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-04

Summary

This advisory contains mitigations for an Open Redirect vulnerability in the SINEMA Remote Connect Server, a management platform for remote networks.

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-05

SICAM TOOLBOX II

Title

SICAM TOOLBOX II

Published

Feb. 10, 2022, 5:05 p.m.

URL

Summary

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Siemens SICAM TOOLBOX II software platform.

Siemens Spectrum Power 4

Title

Siemens Spectrum Power 4

Published

Feb. 10, 2022, 5 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-06

Summary

This advisory contains mitigations for a Cross-site scripting vulnerability in Siemens Spectrum Power 4 communications and data modeling software.

Siemens COMOS Web (Update A)

Title

Siemens COMOS Web (Update A)

Published

Feb. 10, 2022, 4:50 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-22-013-05

Summary

This updated advisory is a follow-up to the original advisory titled ICSA-22-013-05 Siemens COMOS Web that was published January 13, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Basic XSS, Relative Path Traversal, SQL Injection, and Cross-site Request Forgery vulnerabilities in the Siemens COMOS Web unified ...

Siemens Healthineers syngo fastView (Update A)

Title

Siemens Healthineers syngo fastView (Update A)

Published

Feb. 10, 2022, 4:45 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-350-16

Summary

This updated advisory is a follow-up to the original advisory titled ICSA-21-350-16 Siemens Healthineers syngo fastView that was published December 16, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigation for an Out-of-bounds Write vulnerability in the Siemens Healthineers syngo fastView software for digital imaging and communications.