Review – 20 Advisories Published – 12-16-21

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Today, CISA’s NCCIC-ICS published 20 control system security advisories for products from Siemens (15), Mitsubishi Electric (2), Wibu Systems, Delta Electronics, and Xylem. They also published six updates; I will cover these in a separate post. All of the new advisories that Siemens published on Tuesday were covered today by NCCIC-ICS.

JTTK Advisory #1 – This advisory describes two vulnerabilities in the Siemens JTTK and JT Utilities.

NOTE: The Siemens advisory reports ZDI-Canada reference numbers for these two vulnerabilities. Those, in turn point to Bentley CVE’s; CVE-2021-34878, CVE-2021-34898, and CVE-2021-34937 (links are to ZDI reports, CVE’s are still ‘Reserved’). There are a total of 77 ZDI reports for a variety of vulnerabilities in the Bentley View CAD product.

SiPass Advisory – This advisory describes three separate exposure of resources to wrong sphere vulnerabilities in the Siemens SiPass Integrated.

Teamcenter Advisory – This advisory describes a path traversal vulnerability in the Siemens Teamcenter Active Workspace.

JT Utilities Advisory – This advisory describes 16 vulnerabilities in the Siemens JT Utilities, JT Open Toolkit.

Healthineers Advisory – This advisory describes two separate out-of-bounds write vulnerability in the Siemens Healthineers syngo fastView.

NOTE: This should be a medical device security advisory; syngo fastView is a standalone viewer for DICOM2 images.

Simcenter Advisory – This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.

Siveillance Advisory – This advisory describes three separate exposure of resource to wrong sphere vulnerabilities in the Siemens Siveillance Identity self-service portal.

Questa Advisory – This advisory describes an insufficiently protected credential vulnerability in the Siemens Questa Simulation and ModelSim Simulation integrated circuit simulators.

NOTE: The research paper reporting this vulnerability is entitled: “How Not to Protect Your IP – An Industry-Wide Break of IEEE 1735 Implementations”. This vulnerability is not limited to these two Siemens products.

SIMATIC ITS Advisory – This advisory describes a using components with (19) known vulnerabilities vulnerability in the Siemens IMATIC ITC Products.

SIMATIC Advisory – This advisory describes a path traversal vulnerability in the Siemens SIMATIC eaSie PCS 7 Skill Package.

JT2Go Advisory – This advisory describes 16 vulnerabilities in the

Read more