Tuesday, March 2, 2021
DHS

PerFact OpenVPN-Client

This advisory contains mitigations for an External Control of System or Configuration Setting vulnerability in the PerFact OpenVPN-Client.
DHS

Fatek FvDesigner

This advisory contains mitigations for Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, and Out-of-Bounds Read vulnerabilities in  Fatek FvDesigner software.
DHS

Rockwell Automation Logix Controllers

This advisory contains mitigations for a n Insufficiently Protected Credentials vulnerability in Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers.
DHS

ProSoft Technology ICX35

This advisory contains mitigations for a Permissions, Privileges, and Access Controls vulnerability in ProSoft Technology ICX35 industrial cellular gateways.
DHS

Rockwell Automation FactoryTalk Services Platform

<p>This advisory contains mitigations for a Use of Password Hash with Insufficient Computational Effort vulnerability in the Rockwell Automation FactoryTalk Services Platform.</p>
DHS

Advantech BB-ESWGP506-2SFP-T

<p>This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in Advantech BB-ESWGP506-2SFP-T industrial ethernet switches.</p>
DHS

Advantech Spectre RT Industrial Routers

<p>This advisory contains mitigations for Improper Neutralization of Input During Web Page Generation, Cleartext Transmission of Sensitive Information, Improper Restriction of Excessive Authentication Attempts, Use of a Broken or Risky Cryptographic Algorithm, and Use of Platform-Dependent Third-party Components vulnerabilities...
DHS

Johnson Controls Metasys Reporting Engine (MRE) Web Services

This advisory contains mitigations for a Path Traversal vulnerability in the Johnson Controls Metasys Reporting Engine (MRE) Web Services software application.
DHS

Mitsubishi Electric FA engineering software products

This advisory contains mitigations for Heap-based Buffer Overflow, and Improper Handling of Length Parameter Inconsistency vulnerabilities in Mitsubishi Electric FA engineering software.
DHS

Schneider Electric EcoStruxure Power Build-Rapsody (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-21-012-01 Schneider Electric EcoStruxure Power Build-Rapsody that was published January 12, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Unrestricted Upload of File...
DHS

Mitsubishi Electric MELSEC iQ-R Series (Update B)

This updated advisory is a follow-up to the advisory update titled ICSA-20-282-02 Mitsubishi Electric MELSEC iQ-R Series (Update A) that was published October 29, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for an Uncontrolled Resource...
DHS

Hamilton-T1

This advisory contains mitigations for a Use of Hard-coded Credentials, Missing XML Validation vulnerability in Hamilton Medical AG T1 Ventilators.
DHS

Open Design Alliance Drawings SDK

This advisory contains mitigations for Stack-based Buffer Overflow, Type Confusion, Untrusted Pointer Dereference, Incorrect Type Conversion or Cast, and Memory Allocation with Excessive Size Value vulnerabilities in Open Design Alliance Drawings SDK software.
DHS

Rockwell Automation Allen-Bradley Micrologix 1100

This advisory contains mitigations for an Improper Handling of Length Parameter Inconsistency vulnerability in the Allen-Bradley MicroLogix 1100 Programmable Logic Controller. Allen-Bradley is a subsidiary of Rockwell Automation.
DHS

WAGO M&M Software fdtCONTAINER (Update B)

This updated advisory is a follow-up to the advisory update titled ICSA-21-021-05 WAGO M&M Software fdtCONTAINER (Update A) that was published February 4, 2021, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Deserialization of Untrusted Data...
DHS

Multiple Embedded TCP/IP stacks

This advisory contains mitigations for Use of Insufficiently Random Values vulnerabilities in Nut/Net, CycloneTCP, NDKTCPIP, FNET, uIP-Contiki-OS, uC/TCP-IP, uIP-Contiki-NG, uIP, picoTCP-NG, picoTCP, MPLAB Net, Nucleus NET, Nucleus ReadyStart TCP/IP stacks.
DHS

Rockwell Automation DriveTools SP and Drives AOP

This advisory contains mitigations for an Uncontrolled Search Path Element vulnerability in Rockwell Automation DriveTools SP and Drives AOP software.
DHS

Wibu-Systems CodeMeter (Update E)

This updated advisory is a follow-up to the advisory update titled ICSA-20-203-01 Wibu-Systems CodeMeter (Update D) that was published December 3, 2020, to the ICS webpage on us-cert.gov. This advisory contains mitigations for Buffer Access with Incorrect Length Value,...
DHS

GE Digital HMI/SCADA iFIX

This advisory contains mitigations for Incorrect Permission Assignment for Critical Resource vulnerabilities in the GE Digital HMI/SCADA iFIX software component.
DHS

Advantech iView

This advisory contains mitigations for SQL Injection, Path Traversal, and Missing Authentication for Critical Function vulnerabilities in the Advantech iView device management application.

Attacker Expands Use of Malicious SEO Techniques to Distribute Malware

The operators of REvil and Gootkit have begun using a tried and tested technique to distribute additional malware, Sophos says.

Quarter of Healthcare Apps Contain High Severity Bugs

Quarter of Healthcare Apps Contain High Severity Bugs A quarter (25%) of healthcare apps contain high severity flaws, but healthcare organizations (HCOs) are relatively quick to fix them, according to new data from Veracode. The security vendor broke out sector-specific...
IBM Security

‘Clear and Present Danger’: Why Cybersecurity Risk Management Needs to Keep Evolving

The phrase ‘future-proof’ is seductive. We want to believe technology prepares us for the future. But with threat actors and developers in an arms race to breach and protect, cybersecurity risk — and cybersecurity risk management — are always...

Microsoft's Dream of Decentralized IDs Enters the Real World

The company will launch a public preview of its identification platform this spring—and has already tested it at the UK's National Health Service.

Microsoft Teams Issues Major Blow To Zoom With Game-Changing New Security Features

Microsoft Teams has just issued a massive blow to Zoom with the launch of multiple new security features, including the game-changing security feature it was previously lacking.