Bulletins | CERT@VDE

Mitsubishi Electric GOT and Tension Controller

Title

Mitsubishi Electric GOT and Tension Controller

Published

Oct. 5, 2021, 4:20 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-278-01

Summary

This advisory contains mitigations for a Improper Handling of Exceptional Conditions, and Improper Input Validation vulnerabilities in Mitsubishi Electric GOT and Tension Controller products.

Moxa MXview Network Management Software

Title

Moxa MXview Network Management Software

Published

Oct. 5, 2021, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-278-03

Summary

This advisory contains mitigations for Path Traversal, Use of Hard-coded Password, Unprotected Transport of Credentials, Injection, and Improper Access Control vulnerabilities in Moxa MXview network management software.

Honeywell Experion PKS and ACE Controllers

Title

Honeywell Experion PKS and ACE Controllers

Published

Oct. 5, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-278-04

Summary

This advisory contains mitigations for Unrestricted Upload of File with Dangerous Type, Relative Path Traversal, Improper Neutralization of Special Elements in Output Used by a Downstream Component vulnerabilities in Honeywell Experion Process Knowledge System (PKS) C200, C200E, C300 and ACE Controllers.

Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A)

Title

Medtronic MiniMed MMT-500/MMT-503 Remote Controllers (Update A)

Published

Oct. 5, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/ICSMA-18-219-02

Summary

This updated advisory is a follow-up to the original advisory titled ICSMA-18-219-02 Medtronic MiniMed MMT-500 and MMT-503 Remote Controllers that was published August 7, 2018, to the ICS webpage on us-cert.cisa.gov. This medical device advisory includes mitigation recommendations for cleartext transmission of sensitive information and authentication bypass by capture-replay vulnerabilities ...

September 2021

30.09.2021

Boston Scientific Zoom Latitude

Title

Boston Scientific Zoom Latitude

Published

Sept. 30, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsma-21-273-01

Summary

This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques, Improper Access Control, Missing Support for Integrity Check, and Reliance on Component That is Not Updateable vulnerabilities in the Boston Scientific Zoom Latitude programmer/recorder/monitor (PRM) ...

23.09.2021

https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01

Trane Symbio

Title

Trane Symbio

Published

Sept. 23, 2021, 4:10 p.m.

URL

Summary

This advisory contains mitigations for a Code Injection vulnerability in Trane Symbio 700 and Symbio 800 controllers.

23.09.2021

https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02

Trane Tracer

Title

Trane Tracer

Published

Sept. 23, 2021, 4:05 p.m.

URL

Summary

This advisory contains mitigations for a Code Injection vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge building automation products.

23.09.2021

Ovarro TBox (Update A)

Title

Ovarro TBox (Update A)

Published

Sept. 23, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-054-04

Summary

This updated advisory is a follow-up to the advisory update titled ICSA-21-054-04 Ovarro TBox that was published March 23, 2021, to the ICS webpage on us-cert.cisa.gov. The original advisory was titled ICSA-21-054-04P Ovarro TBox and posted to the HSIN ICS library on February 23, 2021. This advisory contains mitigations for ...

16.09.2021

Siemens RUGGEDCOM ROX

Title

Siemens RUGGEDCOM ROX

Published

Sept. 16, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-259-01

Summary

This advisory contains mitigations for Exposure of Sensitive Information to an Unauthorized Actor, Execution with Unnecessary Privileges, and Improper Handling of Insufficient Permissions or Privileges vulnerabilities in Siemens RUGGEDCOM ROX devices.

16.09.2021

Schneider Electric EcoStruxure and SCADAPack

Title

Schneider Electric EcoStruxure and SCADAPack

Published

Sept. 16, 2021, 4 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-259-02

Summary

This advisory contains mitigations for a Path Traversal vulnerability in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect software designed for the x70 SCADAPack system.

Digi PortServer TS 16

Title

Digi PortServer TS 16

Published

Sept. 14, 2021, 5:26 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-01

Summary

This advisory contains mitigations for an Improper Authentication vulnerability in Digi PortServer TS 16 terminal servers.

Johnson Controls Sensormatic Electronics KT-1

Title

Johnson Controls Sensormatic Electronics KT-1

Published

Sept. 14, 2021, 5:24 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-02-0

Summary

This advisory contains mitigations for an Authentication Bypass by Capture-replay vulnerability in Sensormatic Electronics KT-1 door controllers. Sensormatic Electronics is a subsidiary of Johnson Controls.

Schneider Electric Struxureware Data Center Expert

Title

Schneider Electric Struxureware Data Center Expert

Published

Sept. 14, 2021, 5:22 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-03

Summary

This advisory contains mitigations for OS Command Injection, and Path Traversal vulnerabilities in Schneider Electric Struxureware Data Center Expert monitoring software.

Siemens Simcenter Femap

Title

Siemens Simcenter Femap

Published

Sept. 14, 2021, 5:20 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-04

Summary

This advisory contains mitigations for an Out-of-bounds Read vulnerability in the Siemens Simenter Femap simulation application.

Siemens Simcenter STAR-CCM+ Viewer

Title

Siemens Simcenter STAR-CCM+ Viewer

Published

Sept. 14, 2021, 5:18 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-05

Summary

This advisory contains mitigations for an Out-of-bounds Write vulnerability in the Siemens Simcenter Star-CCM+ Viewer simulation application.

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-06

Siemens SIMATIC CP

Title

Siemens SIMATIC CP

Published

Sept. 14, 2021, 5:16 p.m.

URL

Summary

This advisory contains mitigations for a Cleartext Storage of Sensitive Information vulnerability in Siemens SIMATIC CP communication processors.

Siemens APOGEE and TALON

Title

Siemens APOGEE and TALON

Published

Sept. 14, 2021, 5:14 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-07

Summary

This advisory contains mitigations for a Classic Buffer Overflow vulnerability in Siemens APOGEE and TALON building automation systems.

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-08

Siemens Teamcenter

Title

Siemens Teamcenter

Published

Sept. 14, 2021, 5:12 p.m.

URL

Summary

This advisory contains mitigations for Privilege Defined with Unsafe Actions, Authorization Bypass Through User-Controlled Key, and Improper Restriction of XML External Entity Reference vulnerabilities in the Siemens Teamcenter virtualization platform.

Siemens Teamcenter Active Workspace

Title

Siemens Teamcenter Active Workspace

Published

Sept. 14, 2021, 5:12 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-08

Summary

This advisory contains mitigations for a Path Traversal vulnerability in the Siemens Teamcenter Active Workspace product lifecycle management system.

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-09

Siemens NX

Title

Siemens NX

Published

Sept. 14, 2021, 5:10 p.m.

URL

Summary

This advisory contains mitigations for Use After Free, and Out-of-bounds Read vulnerabilities in Siemens NX industrial software.

Siemens SIPROTEC 5 relays

Title

Siemens SIPROTEC 5 relays

Published

Sept. 14, 2021, 5:08 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-257-10

Summary

This advisory contains mitigations for Classic Buffer Overflow vulnerabilities in Siemens SIPROTEC 5 relays.

https://us-cert.cisa.gov/ics/advisories/icsa-21-252-01

AVEVA PCS Portal

Title

AVEVA PCS Portal

Published

Sept. 9, 2021, 4:15 p.m.

URL

Summary

This advisory contains mitigations for an Uncontrolled Search Path Element vulnerability in AVEVA PCS Portal sofware.

Delta Electronics DOPSoft 2

Title

Delta Electronics DOPSoft 2

Published

Sept. 9, 2021, 4:10 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02

Summary

This advisory contains mitigations for Stack-based Buffer Overflow, Out-of-Bounds Write, and Heap-based Buffer Overflow vulnerabilities in Delta Electronics DOPSoft 2 HMI editing software.

Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU

Title

Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU

Published

Sept. 9, 2021, 4:05 p.m.

URL

https://us-cert.cisa.gov/ics/advisories/icsa-21-252-03

Summary

This advisory is a follow-up to a CISA product update titled ICS-ALERT-19-225-01 Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A) published September 10, 2019, on the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for OS Command Injection, Improper Access Control, Cross-site Scripting, Use of Hard-coded Credentials, Unprotected ...