Today, CISA’s NCCIC-ICS published 20 control system security advisories for products from Siemens (15), Mitsubishi Electric (2), Wibu Systems, Delta Electronics, and Xylem. They also published six updates; I will cover these in a separate post. All of the new advisories that Siemens published on Tuesday were covered today by NCCIC-ICS.
JTTK Advisory #1 – This advisory describes two vulnerabilities in the Siemens JTTK and JT Utilities.
NOTE: The Siemens advisory reports ZDI-Canada reference numbers for these two vulnerabilities. Those, in turn point to Bentley CVE’s; CVE-2021-34878, CVE-2021-34898, and CVE-2021-34937 (links are to ZDI reports, CVE’s are still ‘Reserved’). There are a total of 77 ZDI reports for a variety of vulnerabilities in the Bentley View CAD product.
SiPass Advisory – This advisory describes three separate exposure of resources to wrong sphere vulnerabilities in the Siemens SiPass Integrated.
Teamcenter Advisory – This advisory describes a path traversal vulnerability in the Siemens Teamcenter Active Workspace.
JT Utilities Advisory – This advisory describes 16 vulnerabilities in the Siemens JT Utilities, JT Open Toolkit.
Healthineers Advisory – This advisory describes two separate out-of-bounds write vulnerability in the Siemens Healthineers syngo fastView.
NOTE: This should be a medical device security advisory; syngo fastView is a standalone viewer for DICOM2 images.
Simcenter Advisory – This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.
Siveillance Advisory – This advisory describes three separate exposure of resource to wrong sphere vulnerabilities in the Siemens Siveillance Identity self-service portal.
Questa Advisory – This advisory describes an insufficiently protected credential vulnerability in the Siemens Questa Simulation and ModelSim Simulation integrated circuit simulators.
NOTE: The research paper reporting this vulnerability is entitled: “How Not to Protect Your IP – An Industry-Wide Break of IEEE 1735 Implementations”. This vulnerability is not limited to these two Siemens products.
SIMATIC ITS Advisory – This advisory describes a using components with (19) known vulnerabilities vulnerability in the Siemens IMATIC ITC Products.
SIMATIC Advisory – This advisory describes a path traversal vulnerability in the Siemens SIMATIC eaSie PCS 7 Skill Package.
JT2Go Advisory – This advisory describes 16 vulnerabilities in the