Bulletins | CERT@VDE

TCP/IP Stack Vulnerabilities–AMNESIA:33 in SENTRON PAC / 3VA Devices

Title

TCP/IP Stack Vulnerabilities–AMNESIA:33 in SENTRON PAC / 3VA Devices

Published

March 9, 2021, 5:15 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-068-06

Summary

This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in Siemens SENTRON PAC / 3VA Devices power monitoring devices.

Siemens TCP Stack of SIMATIC MV400

Title

Siemens TCP Stack of SIMATIC MV400

Published

March 9, 2021, 5:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-068-07

Summary

This advisory contains mitigations for Improper Validation of Specified Index, Position, or Offset in Input; and Use of Insufficiently Random Values vulnerabilities in Siemens SIMATIC MV400 optical code reader software.

Siemens Energy PLUSCONTROL 1st Gen

Title

Siemens Energy PLUSCONTROL 1st Gen

Published

March 9, 2021, 5:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-068-08

Summary

This advisory contains mitigations for a Predictable Exact Value from Previous Values vulnerability in Siemens Energy PLUSCONTROL 1st Gen energy management systems.

Siemens Solid Edge File Parsing

Title

Siemens Solid Edge File Parsing

Published

March 9, 2021, 5 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-068-09

Summary

This advisory contains mitigations for a Out-of-bounds Write, Improper Restriction of XML External Entity Reference, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge portfolio software tools.

02.03.2021

Hitachi ABB Power Grids Ellipse EAM

Title

Hitachi ABB Power Grids Ellipse EAM

Published

March 2, 2021, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-061-01

Summary

This advisory contains mitigations for Cross-site Scripting, and User Interface Misrepresentation of Critical Information vulnerabilities in Hitachi ABB Power Grids Ellipse EAM software products.

02.03.2021

Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers

Title

Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers

Published

March 2, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-061-02

Summary

This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation CompactLogix 5370 and ControlLogix 5570 controllers.

02.03.2021

MB connect line mbCONNECT24, mymbCONNECT24

Title

MB connect line mbCONNECT24, mymbCONNECT24

Published

March 2, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-061-03

Summary

This advisory contains mitigations for several vulnerabilities in the MB connect line mbCONNECT24, mymbCONNECT24 remote service portal products.

February 2021

PerFact OpenVPN-Client

Title

PerFact OpenVPN-Client

Published

Feb. 25, 2021, 4:15 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-01

Summary

This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client.

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-02

Fatek FvDesigner

Title

Fatek FvDesigner

Published

Feb. 25, 2021, 4:10 p.m.

URL

Summary

This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in Fatek FvDesigner software.

Rockwell Automation Logix Controllers

Title

Rockwell Automation Logix Controllers

Published

Feb. 25, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03

Summary

This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers.

ProSoft Technology ICX35

Title

ProSoft Technology ICX35

Published

Feb. 25, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04

Summary

This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways.

23.02.2021

Advantech BB-ESWGP506-2SFP-T

Title

Advantech BB-ESWGP506-2SFP-T

Published

Feb. 23, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02

Summary

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Advantech BB-ESWGP506-2SFP-T industrial ethernet switches.

23.02.2021

Advantech Spectre RT Industrial Routers

Title

Advantech Spectre RT Industrial Routers

Published

Feb. 23, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-054-03

Summary

This advisory contains mitigations for Improper Neutralization of Input During Web Page Generation, Cleartext Transmission of Sensitive Information, Improper Restriction of Excessive Authentication Attempts, Use of a Broken or Risky Cryptographic Algorithm, and Use of Platform-Dependent Third-party Components vulnerabilities in Advantech Spectre RT Industrial Routers.

11.02.2021

Multiple Embedded TCP/IP stacks

Title

Multiple Embedded TCP/IP stacks

Published

Feb. 11, 2021, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-042-01

Summary

This advisory contains mitigations for Use of Insufficiently Random Values vulnerabilities in Nut/Net, CycloneTCP, NDKTCPIP, FNET, uIP-Contiki-OS, uC/TCP-IP, uIP-Contiki-NG, uIP, picoTCP-NG, picoTCP, MPLAB Net, Nucleus NET, Nucleus ReadyStart TCP/IP stacks.

11.02.2021

Rockwell Automation DriveTools SP and Drives AOP

Title

Rockwell Automation DriveTools SP and Drives AOP

Published

Feb. 11, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-042-02

Summary

This advisory contains mitigations for an Uncontrolled Search Path Element vulnerability in Rockwell Automation DriveTools SP and Drives AOP software.

11.02.2021

Wibu-Systems CodeMeter (Update E)

Title

Wibu-Systems CodeMeter (Update E)

Published

Feb. 11, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01

Summary

This updated advisory is a follow-up to the advisory update titled ICSA-20-203-01 Wibu-Systems CodeMeter (Update D) that was published December 3, 2020, to the ICS webpage on us-cert.gov. This advisory contains mitigations for Buffer Access with Incorrect Length Value, Inadequate Encryption Strength, Origin Validation Error, Improper Input Validation, Improper Verification ...

GE Digital HMI/SCADA iFIX

Title

GE Digital HMI/SCADA iFIX

Published

Feb. 9, 2021, 5:50 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-01

Summary

This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource vulnerabilities in the GE Digital HMI/SCADA iFIX software component.

Siemens SINEMA Server & SINEC NMS

Title

Siemens SINEMA Server & SINEC NMS

Published

Feb. 9, 2021, 5:40 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-03

Summary

This advisory contains mitigations for a Path Traversal vulnerability in Siemens SINEMA server and SINEC NMS products.

Siemens TIA Administrator

Title

Siemens TIA Administrator

Published

Feb. 9, 2021, 5:30 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-05

Summary

This advisory contains mitigations for an Improper Access Control vulnerability in Siemens TIA Administrator products.

Siemens SCALANCE W780 and W740

Title

Siemens SCALANCE W780 and W740

Published

Feb. 9, 2021, 5:20 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-07

Summary

This advisory contains mitigations for an Allocation of Resources Without Limits or Throttling vulnerability in Siemens SCALANCE W780 and W740 industrial wireless LAN products.

January 2021

SOOIL Dana Diabecare RS Products

Title

SOOIL Dana Diabecare RS Products

Published

Jan. 12, 2021, 5 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01

Summary

This advisory contains mitigations for Use of Hard Coded Credentials, Insufficiently Protected Credentials, Use of Insufficiently Random Values, Use of Client-side Authentication, Client-side Enforcement of Server-side Security, Authentication Bypass by Capture-Replay, Unprotected Transport of Credentials, Key Exchange Without Entity Authentication, and Authentication Bypass by Spoofing vulnerabilities in SOOIL Dana Diabecare ...

Schneider Electric EcoStruxure Power Build-Rapsody

Title

Schneider Electric EcoStruxure Power Build-Rapsody

Published

Jan. 12, 2021, 4:55 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01

Summary

This advisory contains mitigations for an Unrestricted Upload of File with Dangerous Type vulnerability in the Schneider Electric EcoStruxure Power Build-Rapsody software.

Siemens JT2Go and Teamcenter Visualization

Title

Siemens JT2Go and Teamcenter Visualization

Published

Jan. 12, 2021, 4:45 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-012-03

Summary

This advisory contains mitigations for a Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read vulnerabilities in Siemens JT2Go and Teamcenter Visualization software products.

https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04

Siemens Solid Edge

Title

Siemens Solid Edge

Published

Jan. 12, 2021, 4:40 p.m.

URL

Summary

This advisory contains mitigations for Out-of-bounds Write, and Stack-based Buffer Overflow vulnerabilities in Siemens Solid Edge software tools.