CISA releases 35 Industrial Control Systems Advisories

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Advisories for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

ICS-CERT released the following 35 advisories today, June 16, 2022. Click on the links below for more detailed information on these Industrial Control Systems vulnerabilities.

This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerabilities in Welch Allyn resting electrocardiograph devices. Hillrom Medical, Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries.

This advisory contains mitigations for Uncontrolled Search Path Element, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products.

This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect DirectLOGIC programmable logic controllers with serial communication.

This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers.

This advisory contains mitigations for Improper Restriction of XML External Entity Reference, and Cross-site Scripting vulnerabilities in the Siemens Mendix SAML Module.

This advisory contains mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the Siemens EN100 Ethernet Module.

This advisory contains mitigations for NULL Pointer Dereference, Out-of-bounds Write, and Server-side Request Forgery (SSRF) vulnerabilities in the Siemens Apache HTTP Server.

This advisory contains mitigations for an Improperly Implemented Security Check for Standard vulnerability in the Siemens SINEMA Remote Connect Server.

This advisory contains mitigations for Missing Authentication for Critical Function, and Resource Leak vulnerabilities in the Siemens SICAM GridEdge Essential ARM.

This advisory contains mitigations for vulnerabilities in the Siemens SCALANCE LPE9403, a processing power extension for the SCALANCE family of products.

This advisory contains mitigations for an Improper Validation of Integrity Check Value vulnerability in the Siemens SCALANCE XM-400 and XR-500 industrial switches.

This advisory contains mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability in the Siemens Xpedition Designer PCB design flow products.

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Siemens Spectrum Power data modelling and monitoring system.

This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Siemens Teamcenter product lifecycle management software.

This advisory contains mitigations for an Infinite Loop vulnerability in the Siemens OpenSSL Affected Industrial Products.

This advisory contains mitigations for a Cross-site Scripting vulnerability in the Siemens Teamcenter Active Workspace software management platform.

This advisory contains mitigations for an Out-of-bounds Write vulnerability in Siemens SCALANCE LPE 4903 and SINUMERIK Edge.

This advisory contains mitigations for multiple vulnerabilities in the Siemens SINEMA Remote Connect Server.

This updated advisory is a follow-up to the advisory update titled ICSA-22-132-06 Siemens SIMATIC WinCC (Update A) that was published May 12, 2022, to the ICS webpage at cisa.gov/ics. This advisory contains mitigations for an Insecure Default Initialization of Resource vulnerability in SIMATIC PCS and WinCC industrial products.

This updated advisory is a follow-up to the advisory update titled ICSA-21-132-10 Siemens SIMATIC WinCC (Update A) that was published May 12, 2022, to the ICS webpage at cisa.gov/ics. This advisory contains mitigations for an Uncaught Exception vulnerability in the Siemens Desigo DXR and PXC controllers. 

This updated advisory is a follow-up to the original advisory titled ICSA-22-132-13 Siemens Industrial Devices using libcurl that was published May 12, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Use After Free vulnerability in Siemens Industrial Devices using libcurl.

This updated advisory is a follow-up to the original advisory titled ICSA-22-132-16 Siemens Teamcenter that was published May 12, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Siemens Teamcenter product lifecycle management software.

This updated advisory is a follow-up to the original advisory titled ICSA-22-104-06 Siemens PROFINET Stack Integrated on Interniche Stack that was published April 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens PROFINET Stack Integrated on Interniche Stack. 

This updated advisory is a follow-up to the original advisory titled ICSA-22-104-07 Siemens Mendix that was published April 14, 2022, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Siemens Mendix, a software platform to build mobile and web applications. 

This updated advisory is a follow-up to the original advisory titled ICSA-22-069-01 Siemens RUGGEDCOM Devices (Update A) that was published April 14, 2022, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Missing Encryption of Sensitive Data vulnerability in devices using the Siemens RUGGEDCOM software platform.

This updated advisory is a follow-up to the advisory update ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization (Update B) that was published April 14, 2022, on the ICS webpage at cisa.gov/ics. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products.

This updated advisory is a follow-up to the original advisory titled ICSA-21-132-10 Siemens SIMATIC CP that was published September 14, 2021, to the ICS webpage at cisa.gov/ics. This advisory contains mitigations for a Cleartext Storage of Sensitive Information vulnerability in Siemens SIMATIC CP communication processors.

This updated advisory is a follow-up to the original advisory titled ICSA-21-222-07 Siemens SIMATIC NET CP that was published August 10, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-Bounds Read, and Use After Free vulnerabilities in Siemens SIMATIC CP industrial Ethernet products.

This updated advisory is a follow-up to the original advisory titled ICSA-21-194-07 Siemens Industrial Products LLDP (Update A) that was published August 10, 2021, on the ICS webpage on cisa.gov/ics. This advisory includes mitigations for Classic Buffer Overflow, and Uncontrolled Resource Consumption vulnerabilities in Siemens Industrial Products (LLDP).

This updated advisory is a follow-up to the advisory update titled ICSA-21-131-03 Siemens Linux-based Products (Update G) that was published December 16, 2021, to the ICS webpage at cisa.gov/ics. This advisory contains mitigations for a Use of Insufficiently Random Values vulnerability in Siemens Linux Based products.

This updated advisory is a follow-up to the advisory update titled ICSA-20-105-08 Siemens KTK, SIDOOR, SIMATIC, and SINAMICS (Update B) that was published March 9, 2021, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Siemens KTN, SIDOOR, SIMATIC, and SINAMICS products.

This updated advisory is a follow-up to the advisory update titled ICSA-20-042-04 Siemens PROFINET-IO Stack (Update G) that was published April 14, 2022, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Internal Resource Allocation vulnerability in the Siemens PROFINET-IO Stack, which could be exploited to create a denial-of-service condition in products that include the vulnerable stack.

This updated advisory is a follow-up to the advisory update titled ICSA-20-014-03 Siemens SCALANCE X Switches (Update A) that was published February 10, 2022, to the ICS webpage on cisa.gov/ics. This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in Siemens SCALANCE X switches.

This updated advisory is a follow-up to the advisory update titled ICSA-20-014-05 Siemens TIA Portal (Update D) that was published May 12, 2021, on the ICS webpage at cisa.gov/ics. This advisory contains mitigations for a Path Traversal Vulnerability in the Siemens TIA Portal engineering framework.

This updated advisory is a follow-up to the original advisory titled ICSA-17-285-05 Siemens BACnet Field Panels that was published October 12, 2017, on the ICS webpage on cisa.gov/ics. This advisory contains mitigation details for Authentication Bypass Using an Alternate Path or Channel, and Path Traversal vulnerabilities in Siemens BACnet field panels.