CISA Releases Nine Industrial Control Systems Advisories

Summary:

ICS-CERT released the following nine advisories on, March 31, 2022. Click on the links below for more detailed information on these Industrial Control Systems vulnerabilities.

Additional Discussion:

Schneider Electric SCADAPack Workbench

This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Schneider Electric SCADAPack Workbench software.

Hitachi Energy e-mesh EMS

This advisory contains mitigations for Improper Restriction of Operations Within the Bounds of a Memory Buffer, Use After Free, and Uncontrolled Resource Consumption vulnerabilities in Hitachi Energy e-mesh EMS, an optimizer software for energy resources.

Fuji Electric Alpha5

This advisory contains mitigations for Access of Uninitialized Pointer, Out-of-bound Read, Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in the Fuji Electric Alpha5 servo drive system.

Mitsubishi Electric FA products

This advisory contains mitigations for a Use of Password Hash Instead of Password for Authentication, Use of Weak Hash, Cleartext Storage of Sensitive Information, and Authentication Bypass by Capture-replay vulnerabilities in Mitsubishi Electric FA CPU module products.

Rockwell Automation Logix Controllers

This advisory contains mitigations for an Inclusion of Functionality from Untrusted Control Sphere vulnerability in Rockwell Automation Logix Controllers.

GE Renewable Energy MDS Radios

This advisory contains mitigations for Improper Input Validation, Hidden Functionality, Inadequate Encryption Strength, Uncontrolled Resource Consumption, Plaintext Storage of a Password, and Download of Code Without Integrity Check vulnerabilities in General Electric Renewable Energy MDS Radios.

Rockwell Automation Studio 5000 Logix Designer

This advisory contains mitigations for a Code Injection vulnerability in Rockwell Automation Studio 5000 Logix Designer design configuration hardware.

PTC Axeda agent and Axeda Desktop Server (Update C)

This updated advisory is a follow-up to the advisory update titled ICSA-22-067-01 PTC Axeda agent and Axeda Desktop Server (Update B) that was published March 15, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Use of Hard-coded Credentials, Missing Authentication for Critical Function, Exposure of Sensitive Information to an Unauthorized Actor, Path Traversal, Improper Check or Handling of Exceptional Conditions vulnerabilities in Axeda agent and Axeda Desktop Server, a remote asset connectivity software used as part of a cloud based IoT platform.

Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update C)

This updated advisory is a follow-up to the advisory update ICSA-20-303-01 Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update B) that was published January 13, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric's MELSEC iQ-R, Q and L Series programmable logic controllers.