This week we have nine vendor disclosures from Bosch, ZIV
Automation (2), Emerson, GE Healthcare, Johnson Controls, Rockwell (2), and
Siemens.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Bosch Advisory

Bosch published an
advisory
describing a stack-based buffer overflow vulnerability in their Rexroth
ID 200/C-ETH using EtherNet/IP Protocol. This is a third-party (Real Time
Automation
) vulnerability. Bosch provides generic mitigation measures.

ZIV Automation Advisories

Incibe-CERT published an advisory
describing an uncontrolled resource consumption vulnerability in the ZIV 4CCT Smart
Metering Data Concentrator. The vulnerability was reported by Aarón Flecha
Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability.
There is no indication that Menendez has been provided an opportunity to verify
the efficacy of the fix.

 

Incibe-CERT published an
advisory
describing an improper authentication vulnerability in the ZIV 4CCT
Smart Metering Data Concentrator. The vulnerability was reported by Aarón
Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability.
There is no indication that Menendez has been provided an opportunity to verify
the efficacy of the fix.

Emerson Advisory

Emerson published an
advisory
describing the fdtCONTAINER vulnerability
in their Rosemont Transmitter Interface Software. Emerson no longer supports
that software.

NOTE: This Emerson impact was previously
reported
by NCCIC-ICS.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing
undisclosed vulnerabilities in the VC150 Vital Signs Monitor that they distribute.
The Innokas Medical web site
simply notes in their software update note for the VC150 that it contains “Cybersecurity
enhancements and bug fixes”. GE Healthcare has made the updated software
available.

Johnson Controls

Johnson Controls has published an
advisory
discussing four vulnerabilities in their Sur-Gard System 5
receivers. They are third-party (Treck)
vulnerabilities. Johnson Controls has a new version that mitigates the vulnerabilities.

NOTE: This advisory does not specifically name the four
vulnerabilities identified by Treck and NCCIC-ICS, it just provides the CVE
numbers; CVE-2020-25066,  CVE-2020-27336,
CVE-2020-27337, and  CVE-2020-27338.

Rockwell Advisories

Rockwell published an
advisory
describing the fdtCONTAINER vulnerability
in their FactoryTalk AssetCentre. Rockwell has a new version that mitigates the
vulnerability.

 

Rockwell published an
advisory
describing a buffer overflow vulnerability in their MicroLogix
1400 Controller. The vulnerability was reported by Parul Sindhwad and Dr. Faruk
Kazi from COE-CNDS. Rockwell provides generic mitigation measures

Siemens Advisory

Siemens published an advisory
describing a missing authentication for critical function vulnerability in
their SIMATIC HMI Panels. The vulnerability was reported by the Zero Day Initiative.
Siemens has new versions that mitigate the vulnerability. There is no
indication that the researcher has been provided an opportunity to verify the
efficacy of the fix.

NOTE: The advisory acknowledges the coordination efforts of
CISA, so it is likely that NCCIC-ICS will publish an advisory on this
vulnerability next week.

By admin