CISA releases 23 Industrial Control Systems Advisories
Cybersecurity and Infrastructure Security Agency sent this bulletin at 02/09/2021 03:55 PM EST
You are subscribed to no topic for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.
This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource vulnerabilities in the GE Digital HMI/SCADA iFIX software component.
This advisory contains mitigations for SQL Injection, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in the Advantech iView device management application.
Siemens SINEMA Server & SINEC NMS
This advisory contains mitigations for a Path Traversal vulnerability in Siemens SINEMA server and SINEC NMS products.
This advisory contains mitigations for Improper Input Validation, NULL Pointer Dereference, Out-of-bounds Write, Insufficient Verification of Data Authenticity, Improper Certificate Validation, and Out-of-bounds Read vulnerabilities in Siemens RUGGEDCOM ROX II products.
This advisory contains mitigations for an Improper Access Control vulnerability in Siemens TIA Administrator products.
Siemens JT2Go and Teamcenter Visualization
This advisory contains mitigations for Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer, Stack-based Buffer overflow, Out-of-Bounds Write, Type Confusion, Untrusted Pointer Dereference, and Incorrect Type Conversion or Cast vulnerabilities in Siemens JT2Go and Teamcenter Visualization software.
Siemens SCALANCE W780 and W740
This advisory contains mitigations for an Allocation of Resources Without Limits or Throttling vulnerability in Siemens SCALANCE W780 and W740 industrial wireless LAN products.
This advisory contains mitigations for an Incorrect Default Permissions vulnerability in Siemens SIMARIS configuration electrical planning software.
Siemens SIMATIC WinCC Graphics Designer
This advisory contains mitigations for an Authentication Bypass Using an Alternate Path or Channel vulnerability in Siemens WinCC Graphics Designer visualization software.
This advisory contains mitigations for an Incorrect Default Permissions vulnerability in Siemens DIGSI 4 software.
Siemens SCALANCE X Switches (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-20-012-02 Siemens SCALANCE X Switches that was published January 12, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Siemens SCALANCE X switches.
Siemens JT2Go and Teamcenter Visualization (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-21-012-03 Siemens JT2Go and Teamcenter Visualization that was published January 12, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read vulnerabilities in Siemens JT2Go and Teamcenter Visualization software products.
Siemens SCALANCE X Products (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-21-012-05 Siemens SCALANCE X Products that was published January 12, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for Missing Authentication for Critical Function, and Heap-based Buffer Overflow vulnerabilities in Siemens SCALANCE X switches.
Siemens Embedded TCP-IP Stack Vulnerabilities-AMNESIA33 (Update A)
This updated advisory is a follow-up to the original advisory titled ICSA-20-343-05 Siemens Embedded TCP/IP Stack Vulnerabilities–AMNESIA:33 that was published December 8, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Integer Overflow vulnerability in Siemens SENTRON and SIRIUS products.
Siemens Industrial Products (Update C)
This updated advisory is a follow-up to the advisory update titled ICSA-20-252-07 Siemens Industrial Products (Update B) that was published December 8, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in several Siemens industrial products.
This updated advisory is a follow-up to the advisory update titled ICSA-20-196-05 Siemens UMC Stack (Update D) that was published December 8, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for Unquoted Search Path or Element, Uncontrolled Resource Consumption, Improper Input Validation vulnerabilities in Siemens UMC components.
This updated advisory is a follow-up to the original advisory titled ICSA-20-105-04 Siemens Climatix that was published April 14th, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for cross-site scripting and basic XSS vulnerabilities in Siemens Climatix controllers.
Siemens SCALANCE & SIMATIC (Update D)
This updated advisory is a follow-up to the advisory update titled ICSA-20-105-07 Siemens SCALANCE & SIMATIC (Update C) that was published September 8, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a resource exhaustion vulnerability in Siemens SCALANCE and SIMATIC products.
Siemens Industrial Products SNMP (Update C)
This updated advisory is a follow-up to the advisory update titled ICSA-20-042-02 Siemens Industrial Products SNMP Vulnerabilities (Update B) that was published August 11, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for data processing errors and NULL pointer dereference vulnerabilities in various Siemens industrial products, including SCALANCE, SIMATIC, and SIPLUS.
Siemens SCALANCE X Switches (Update A)
This updated advisory is a follow-up to the original advisory update titled ICSA-20-042-07 Siemens SCALANCE X Switches that was published February 11, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a protection mechanism failure vulnerability in Siemens SCALANCE X switches.
Siemens Industrial Real-Time (IRT) Devices (Update E)
This updated advisory is a follow-up to the advisory update titled ICSA-19-283-01 Siemens Industrial Real-Time (IRT) Devices (Update D) that was published August 11, 2020, to the ICS webpage on us-cert.gov. This advisory includes mitigations for an improper input validation vulnerability in Siemens Industrial Real-Time (IRT) devices.
Siemens SCALANCE X Switches (Update B)
This updated advisory is a follow-up to the advisory update titled ICSA-19-225-03 Siemens SCALANCE X Switches (Update A) that was published August 20, 2019, to the ICS webpage on us-cert.cisa.gov. This updated advisory includes mitigations for an insufficient resource pool vulnerability reported in Siemens SCALANCE X Switches.
This updated advisory is a follow-up to the advisory update titled ICSA-19-162-04 Siemens SCALANCE X (Update A) that was published January 14, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory includes mitigations for a storing passwords in a recoverable format vulnerability reported in the Siemens SCALANCE X switches.