8 Advisories and 4 Updates Published 1-16-25
Today CISA’s NCCIC-ICS published eight control system security advisories for product from Schneider Electric, Hitachi Energy (2), Fuji Electric, and Siemens (4). They also updated advisories for products from Mitsubishi (2), Johnson Controls, and Delta Electronics. It includes the identification of a duplicate CISA advisory.
Schneider Advisory
This advisory describes two vulnerabilities in the Schneider Data Center Expert. One of the vulnerabilities was reported an anonymous researcher via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
Missing authentication for critical function - CVE-2024-8530, and
Improper verification of cryptographic signature - CVE-2024-8531
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to expose private data or achieve remote code execution.
NOTE: Thanks to the ZDI advisory I was able to access an earlier CISA advisory that covered both of these vulnerabilities (ICSA-24-289-02). There is an interesting difference between this advisory and the older version; the older version includes a CVSS v4 score that is not included in today’s advisory. This sort of thing could be avoided if CISA were to report their advisories to NVD.NIST.gov for inclusion in the CVE file.
Hitachi Energy Advisory #1
This advisory describes a relative path traversal advisory in the Hitachi Energy FOX61x Products. The vulnerability was self-reported. The Hitachi Energy advisory reports that the vulnerability was reported by Darius Pavelescu and Bernhard Rader from Limes Security. Hitachi has new versions that mitigate the vulnerability; the advisory lists affected products that are end-of-life and will not be ‘fixed’.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to traverse the file system to access files or directories that would otherwise be inaccessible.
NOTE: I briefly discussed this vulnerability on June 15th, 2024.
Hitachi Energy Advisory #2
This advisory describes an improper validation of certificate with host mismatch vulnerability in the Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN products. The vulnerability was self-reported. According to the Hitachi advisory, the vulnerability was reported by Darius Pavelescu and Bernhard Rader from Limes Security. Hitachi has new versions that mitigate the vulnerability; the advisory lists affected products that are end-of-life and will not be ‘fixed’.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized actor could exploit the vulnerability to allow attackers to intercept or falsify data exchanges between the client and the server.
NOTE: I briefly discussed this vulnerability on June 15th, 2024.
Fuji Advisory
This advisory describes a stack-based buffer overflow vulnerability in the Fuji Alpha5 SMART servo drive system. The vulnerability was reported by anonymous researcher working with Trend Micro's Zero Day (reported as two separate vulnerabilities ZDI-24-537 and ZDI-24-536). Fuji reports that the vulnerabilities will not be fixed in this product and recommend an upgrade, essentially EOL.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code.
Siemens Advisory #1
This advisory describes a files or directories accessible to external parties vulnerability in the Siemens SIPROTEC 5 products. The vulnerability was self-reported. The Siemens advisory notes that the vulnerability was reported by Steffen Robertz, Stefan Viehböck, and Constantin Schieber-Knöbl from SEC Consult Vulnerability. Siemens has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an authenticated remote attacker to read arbitrary files or the entire filesystem of the device.
Siemens Advisory #2
This advisory discusses an insertion of sensitive information into a log file vulnerability in the Siemens Siveillance Video Device Pack. This is a third-party (Milestone) vulnerability. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability to allow a local attacker to read camera credentials stored in the Recording Server under specific conditions.
Siemens Advisory #3
This advisory describes a cross-site scripting vulnerability in the Siemens Industrial Edge Management. This vulnerability was self-reported. The Siemens advisory notes the vulnerability was reported by Ilias el Matani. Siemens reports that no fix is currently planned.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to extract sensitive information by tricking users into accessing a malicious link.
Siemens Advisory #4
This advisory describes an LDAP injection vulnerability in the Siemens Mendix LDAP. The vulnerability was self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an unauthenticated remote attacker to bypass username verification.
Mitsubishi Update #1
This update provides additional information on the FA Engineering Software products advisory that was originally published on January 30th, 2024 and most recently updated on October 31st, 2024. The new information includes updating affected versions and mitigations.
Mitsubishi Update #2
This update provides additional information on the Multiple Factory Automation products advisory that was originally published on February 27th, 2024. The new information includes adding detail to affected product and mitigation sections.
Johnson Controls Update
This update provides additional information on the Software House C●CURE 9000 advisory that was originally published on July 9th, 2024. The new information includes updating affected products, updated mitigations.
Delta Update
This update provides additional information on the DRASimuCAD advisory that was originally published on January 9th, 2025. The new information includes announcing that a patch was available to fix vulnerabilities.