CISA releases 41 Industrial Control Systems Advisories
Cybersecurity and Infrastructure Security Agency sent this bulletin at 04/14/2022 08:20 PM EDT
You are subscribed to no topic for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.
This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in the Delta Electronics DMARS program development tool.
This advisory contains mitigations for an Incomplete Cleanup vulnerability in the Johnson Controls Metasys ADS/ADX/OAS servers for building management systems.
This advisory contains mitigation for Insufficient Verification of Data Authenticity, Weak Password Requirements, Use of Unmaintained Third-Party Components, and Insufficiently Protected Credentials vulnerabilities in the Red Lion DA50N networking gateway.
This advisory contains mitigations for Improper Authentication, Injection, Improper Validation of Integrity Check, and Improper Input Validation vulnerabilities in Siemens SCALANCE FragAttacks.
This advisory contains mitigations for a NULL Pointer Dereference vulnerability in Siemens OpenSSL products.
This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens PROFINET Stack Integrated on Interniche Stack.
This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Siemens Mendix, a software platform to build mobile and web applications.
This advisory contains mitigations for Race Condition, and Improper Input Validation vulnerabilities in the Siemens SCALANCE W1700 wireless communication device.
This advisory contains mitigations for Improper Input Validation, Use of Insufficiently Random Values, Stack-based Buffer Overflow, Cross-site Request Forgery, Improper Access Control, Basic XSS, Classic Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens SCALANCE X-300 Switches.
This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the Siemens SICAM A8000 products.
This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource, Uncontrolled Search Path Element, and Deserialization of Untrusted Data vulnerabilities in the Siemens SIMATIC Energy Manager.
This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens SIMATIC S7-400 products.
This advisory contains mitigations for a Use of Unmaintained Third-party Components vulnerability in the Siemens SIMATIC S7-1500 CPU GNU Linux subsystem.
This advisory contains mitigations for an Improper Access Control vulnerability in the Siemens SIMATIC STEP 7 (TIA Portal).
This advisory contains mitigations for Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in the Siemens Simcenter Femap simulation application.
This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens TIA Administrator products.
This advisory contains mitigations for an Improper Access Control vulnerability in the Siemens Mendix, a software platform to build mobile and web applications.
This updated advisory is a follow-up to the original advisory titled ICSA-22-069-01 Siemens RUGGEDCOM Devices that was published March 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Missing Encryption of Sensitive Data vulnerability in devices using the Siemens RUGGEDCOM software platform.
This updated advisory is a follow-up to the original advisory titled ICSA-22-069-08 Siemens Polarion ALM that was published March 10, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Cross-site Scripting vulnerability in Siemens Siemens Polarion ALM management software.
This updated advisory is a follow-up to the original advisory titled ICSA-22-069-12 Siemens RUGGEDCOM ROS that was published March 10, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Using Components with Known Vulnerabilities vulnerability in Siemens RUGGEDCOM ROS-based devices.
This updated advisory is a follow-up to the advisory update titled ICSA-22-069-13 Siemens Mendix that was published March 10, 2021, to the ICS webpage on us-cert.gov. This advisory contains mitigations for an Improper Access Control vulnerability in the Siemens Mendix application development platform.
This updated advisory is a follow-up to the original advisory titled ICSA-22-041-02 Siemens SIMATIC WinCC and PCS that was published February 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Siemens SIMATIC WinCC and PCS industrial automation products.
This updated advisory is a follow-up to the advisory update ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization (Update A) that was published March 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products.
This updated advisory is a follow-up to the advisory update titled ICSA-22-013-05 Siemens COMOS Web (Update A) that was published February 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Basic XSS, Relative Path Traversal, SQL Injection, and Cross-site Request Forgery vulnerabilities in the Siemens COMOS Web unified data platform.
This updated advisory is a follow-up to the advisory update titled ICSA-21-315-03 Siemens SIMATIC WinCC (Update B) that was published March 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Path Traversal, and Insertion of Sensitive Information into Log File vulnerabilities in Siemens SIMATIC WinCC, a SCADA HMI system.
This updated advisory is a follow-up to the original advisory titled ICSA-21-315-07 Siemens Nucleus RTOS-based APOGEE and TALON Products (Update A) that was published December 16, 2021, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for several vulnerabilities in Siemens Nucleus RTOS-based APOGEE and TALON direct digital control (DDC) devices.
This updated advisory is a follow-up to the advisory update titled ICSA-21-222-05 Siemens Industrial Products Intel CPU (Update B) that was published March 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a Missing Encryption of Sensitive Data vulnerability in Siemens industrial products using some Intel CPUs.
This updated advisory is a follow-up to the advisory update titled ICSA-21-194-03 Siemens PROFINET Devices (Update C) that was published October 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Allocation of Resources Without Limits or Throttling vulnerability in Siemens PROFINET Devices.
This updated advisory is a follow-up to the original advisory titled ICSA-21-194-12 Siemens Wind River VxWorks-based Industrial Products that was published July 13, 2021, on the ICS webpage on www.cisa.gov/uscert. This advisory includes mitigations for a Heap-based Buffer Overflow in Siemens Industrial Products incorporating the Wind River VxWorks product.
This updated advisory is a follow-up to the original advisory titled ICSA-21-159-13 Siemens SIMATIC RFID Readers that was published June 8, 2021, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Siemens Simatic RFID industrial hardware systems.
This updated advisory is a follow-up to the advisory update titled ICSA-20-161-04 Siemens SIMATIC, SINAMICS, SINEC, SINEMA, SINUMERIK (Update I) that was published November 11, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Unquoted Search Path or Element vulnerability in Siemens SIMATIC, SINAMICS, SINEC, SINEMA, and SINUMERIK products.
This updated advisory is a follow-up to the advisory update titled ICSA-20-105-06 Siemens SIMOTICS, Desigo, APOGEE, and TALON (Update B) that was published December 16, 2021, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for a business logic errors vulnerability in Siemens SIMOTICS, Desigo, APOGEE, and TALON products.
This updated advisory is a follow-up to the advisory update titled ICSA-20-105-07 Siemens SCALANCE & SIMATIC (Update F) that was published February 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for a resource exhaustion vulnerability in Siemens SCALANCE and SIMATIC products.
This updated advisory is a follow-up to the advisory update titled ICSA-20-042-02 Siemens Industrial Products SNMP Vulnerabilities (Update E) that was published February 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for data processing errors and NULL pointer dereference vulnerabilities in various Siemens industrial products, including SCALANCE, SIMATIC, and SIPLUS.
This updated advisory is a follow-up to the advisory update titled ICSA-20-042-04 Siemens PROFINET-IO Stack (Update F) that was published October 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an internal resource allocation vulnerability in the Siemens PROFINET-IO Stack, which could be exploited to create a denial-of-service condition in products that include the vulnerable stack.
This updated advisory is a follow-up to the advisory update titled 20-042-06 Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC (Update F) that was published January 12, 2021, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an incorrect calculation of buffer size vulnerability in some Siemens SIMATIC software products.
This updated advisory is a follow-up to the advisory update titled ICSA-19-344-04 Siemens SIMATIC Products (Update B) that was posted March 10, 2020, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an exposed dangerous method or function vulnerability in Siemens' SIMATIC products.
This updated advisory is a follow-up to the advisory update titled ICSA-19-253-04 Siemens Industrial Products (Update P) that was published March 10, 2022, to the ICS webpage on www.cisa.gov/uscert. This updated advisory includes mitigations for integer overflow or wraparound and uncontrolled resource consumption vulnerabilities reported in Siemens’ industrial products.
This updated advisory is a follow-up to the updated advisory titled ICSA-19-099-03 Siemens Industrial Products with OPC UA (Update F) that was posted March 10, 2020, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an uncaught exception vulnerability in Siemens' industrial control products with OPC UA.
This updated advisory is a follow-up to the advisory update titled ICSA-17-243-01 Siemens OPC UA Protocol Stack Discovery Service (Update D) that was published August 11, 2020, on the on the ICS webpage on www.cisa.gov/uscert. This advisory update contains mitigation details for an improper restriction of XML external entity reference vulnerability in Siemens SIMATIC products.
This advisory contains mitigations for Improper Input Validation, and Improper Privilege Management vulnerabilities in the Siemens SIMATIC CP 1543-1 communication processor.