ICS-CERT Advisory Dashboard Updates and Other Advisories for May 2 - 5, 2022

ICS-CERT Advisory Summary

This week CISA ICS-CERT released two new Advisories?for the following Vendors' products: Johnson Controls Metasys and Yokogawa CENTUM and ProSafe-RS [Table 1]. The ICS-CERT Advisory Dashboard was updated this week with the latest advisory data for each vendor.

Vulnerabilities ICS-CERT Advisories released have been organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) Version 3.0 Rating standard:

Critical vulnerabilities with a CVSS base score of 9.0 – 10.0

High: vulnerabilities with a CVSS base score of 7.0–8.9

Medium: vulnerabilities with a CVSS base score of 4.0–6.9

Low: vulnerabilities with a CVSS base score of 0.1–3.9

The CVSS score only reflects base score ratings. ICS / OT Asset owners should use the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) or Forum of Incident Response and Security Teams (FIRST) CVSS Version 3.0 Calculators to calculate the Temporal and Environmental Scores from the Basic for the control system environment.

Table 1. CISA ICS-CERT Advisories New Release Summary.

Other Vendor Advisories Released

This week's summary on other vendor advisories is short but provides the list of ICS Advisories released by vendors. These advisories have not been released by CISA ICS-CERT, but most have been associated with previously released CVEs due to vendor product dependencies on other third-party products or open-source software.

Over the past week, vendors: Hitachi Energy, Belden, TRUMPF, Bosch Rexroth, SICK, and Rockwell Automation released vulnerability advisories for products affecting multiple critical infrastructure sectors [Table 2 & Table 3]. The critical infrastructure sectors were derived from the vendor product sites.

Table 2. Vendor Cert Advisory Release Summary May 2 - 3, 2022.

Rockwell Automation also released a vulnerability advisory for FactoryTalk? ProductionCentre (FTPC) v10.04 and earlier due to multiple vulnerabilities affecting third-party software utilized by FTPC products. Potential exploits of these vulnerabilities include but are not limited to remote code execution, information disclosure, and denial of service on FTPC products.[1]

Table 3. Rockwell Automation FactoryTalk Advisory Released on May 5, 2022.

Below are the links to each report contained in this week's brief summary:

Hitachi Energy - Multiple Open-Source Software Related Vulnerabilities in Hitachi Energy Gateway Station (GWS) Product

Hitachi Energy - Multiple Open-Source Software Related Vulnerabilities in Hitachi Energy FACTS Control Platform (FCP) Product

Belden - Multiple vulnerabilities in Provize Basic Frontend

Belden - Vulnerability in ‘axios’ HTTP client in Provize Basic

Belden - Multiple vulnerabilities in Provize Basic Backend

TRUMPF - TruTops Fab, TruTops Boost prone to vulnerability

Bosch Rexroth - Vulnerabilities in the communication protocol of the PLC runtime

SICK - Vulnerability in SICK Flexi Soft PROFINET IO Gateway FX0-GPNT

Rockwell Automation - Vulnerable Third-Party Components in FactoryTalk? ProductionCentre

Reference:

1. Rockwell Automation. Vulnerable Third-Party Components in FactoryTalk? ProductionCentre (2022). https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1135315 Website accessed May 5, 2022