CVE – Siemens SCALANCE, RUGGEDCOM Third-Party

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity …

Read More

CVE – Honeywell OneWireless Wireless Device Manager

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity  Vendor: Honeywell  Equipment: OneWireless Wireless Device Manager (WDM)  Vulnerabilities: Command Injection, Use of Insufficiently Random Values, Missing Authentication for Critical Function  2. RISK EVALUATION Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Honeywell…

Read More

CVE – Siemens RUGGEDCOM CROSSBOW V5.2

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 6.6 ATTENTION: Exploitable remotely   Vendor: Siemens…

Read More

CVE – Rockwell Automation ThinManager

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity   Vendor: Rockwell Automation   Equipment: ThinManager ThinServer  Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow  2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following…

Read More

CVE – Siemens RUGGEDCOM APE1808 Product Family

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).   1. EXECUTIVE SUMMARY CVSS v3 8.2 ATTENTION: Low attack complexity/public…

Read More

CVE – Delta Electronics InfraSuite Device Master

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Electronics Equipment: InfraSuite Device Master Vulnerabilities: Deserialization of Untrusted Data, Improper Access Control, Exposed Dangerous Method or Function, Path Traversal, Improper Authentication, Command Injection, Incorrect Permission Assignment for Critical Resource, Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an…

Read More

CVE – VISAM VBASE Automation Base

1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Low attack complexity Vendor: VISAM Equipment: VBASE Vulnerabilities: Improper Restriction of XML External Entity Reference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information from the target device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS VISAM reports these vulnerabilities affect the following VBASE products: VBASE Automation…

Read More

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management

As part of the Enduring Security Framework (ESF), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) has released Identity and Access Management Recommended Best Practices Guide for Administrators. These recommended best practices provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management…

Read More

WaterISAC Releases Advisory for Microsoft DCOM Patch

The Water Information Sharing and Analysis Center (WaterISAC) has released an advisory, Potential for Mandatory Microsoft DCOM Patch to Disrupt SCADA. ICS/OT/SCADA engineers and operators should assess the use of the Distributed Component Object Model (DCOM) protocol in their industrial environments. According to WaterISAC, “failure to address could result in loss of critical communications between…

Read More

CISA Releases Eight Industrial Control Systems Advisories

CISA released eight Industrial Control Systems (ICS) advisories on March 16, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.      CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:   ICSA-23-075-01 Siemens SCALANCE, RUGGEDCOM Third-Party ICSA-23-075-02 Siemens RUGGEDCOM CROSSBOW…

Read More