OMICRON Product Security Vulnerability Handling and Disclosure
At OMICRON we take any type of vulnerability issue that affects our products very seriously, and we appreciate and welcome every report that helps us improve their security. Consequently, we have established a systematic approach for receiving, handling, and disclosing such vulnerabilities.
Coordinated Disclosure
We are aware of our responsibility for contributing to an increased level of cybersecurity, especially in the area of critical infrastructures. Therefore, we want to inform our customers about validated and relevant vulnerabilities that affect our products in our Security Advisories section below. However, to avoid unnecessary risks to our customers, we encourage anyone that detects a vulnerability to not make the information public until we have evaluated the appropriate remediation options.
OMICRON Product Security Team
At OMICRON, we have a dedicated product security team responsible for managing security issues and taking further disclosure actions. They are happy to help you with any questions related to vulnerabilities in OMICRON products. If possible, please use encrypted e-mail communication.
security@omicronenergy.com
PGP Public Key3.14 kB
Fingerprint: 90F2 6F91 6186 22EA AFF1 06A0 F014 F4B8 C72E C818
Handling Vulnerability and The Disclosure Process
To ensure reliable and efficient handling and disclosure of relevant security issues, we have established a comprehensive and systematic process. Below you can find more details about each stage of the process.
1. Report
We invite everyone to report security issues that affect OMICRON products.
We respect your privacy and will not publish any information about you without your explicit consent.
It is possible to submit an identified security issue anonymously, but if desired, we will credit you for finding a vulnerability issue in our security advisory.
To report a vulnerability issue, please contact the dedicated Product Security Team mentioned earlier. Please provide as many details as possible when reporting a security issue, and include the following information in your report:
- Affected OMICRON product including detailed version
- Detailed description of the vulnerability issue
- If possible, please attach available exploit code or step-by-step approach to find the vulnerability
- Are there any plans to make the vulnerability publicly available?
2. Analysis
After we receive your report, we will initiate a comprehensive analysis of the security issue. Our goal is to reproduce the problem and to identify its root cause.
3. Assessment
As soon as the analysis of the security issue is completed, we will continue with the assessment of the probability of occurrence and the potential impact for our customers.
4. Treatment
Based on the assessment, we can derive further treatment measures. This may include providing a patch to affected customers and consequently, a structured disclosure of the vulnerability.
5. Disclosure
We are aware of our responsibility and the importance of informing affected customers about relevant vulnerability issues that affect OMICRON products to avoid consequential damage. Therefore, every security issue is taken seriously, and affected customers will be informed.
We will publish the following disclosure information:
- Vulnerability description
- Affected OMICRON products including detailed version
- CVSS score
- CVE entry (if applicable)
- Required steps to remediate the vulnerability
- Credits (if desired by the finder)
Security Advisories
OMICRON has introduced product security vulnerability handling and disclosure in 2021. Below you can find all security advisories that have been found and published meanwhile.
| ID | Title | Affected Products | CVE ID | CVSS Score | Last update | Download |
|---|---|---|---|---|---|---|
OSA-9 | 3rd Party Vulnerabilities in CM-Line, CMS 356 and ARCO 400 embedded image versions | CMC 256plus, CMC 353, CMC 430, CMS 356, CMC 850, ARCO 400 with Images before v2.63 | CVE-1999-0517 | 7.5 | 2024-03-29 | |
OSA-8 | Linux Kernel Vulnerability in IGB Driver affecting StationGuard and StationScout | StationGuard Image 2.10.0073, 2.20.0080, 2.21.0081, StationScout StationScout Image 2.10.0059, 2.20.0063, 2.21.0064 | CVE-2023-45871 | 9.8 | 2023-11-22 | |
OSA-7 | 3rd Party Vulnerabilities affecting StationGuard and StationScout | StationGuard < 2.30, StationScout < 2.30 | CVE-2023-23919 | 7.5 | 2023-11-22 | |
OSA-6 | Incorrect Authorization Vulnerability in StationScout and StationGuard | StationGuard StationGuard Image 1.10.0056 - 2.20.0080, StationScout StationScout Image 1.30.0040 - 2.20.0063 | CVE-2023-28611 | 10 | 2023-11-22 | |
OSA-5 | Vulnerability in Update Process of StationScout and StationGuard < 2.21 | StationGuard StationGuard Image all before 2.20.0080, StationScout StationScout Image all before 2.20.0063 | CVE-2023-28610 | 10 | 2023-11-22 | |
OSA-4 | 3rd Party Vulnerabilities affecting StationGuard and StationScout < 2.20 | StationGuard < 2.20, StationScout < 2.20 | CVE-2018-25032 | 7.5 | 2023-11-22 | |
OSA-3 | 3rd Party Vulnerabilities affecting StationGuard image < 2.00 | StationGuard StationGuard Image all before 1.10.0056 | CVE-2021-37701 | 5 | 2023-11-22 | |
OSA-2 | Multiple 3rd Party Denial-of-Service Vulnerabilities in StationGuard and StationScout < 2.0 | StationGuard StationGuard Image all before 1.10.0056, StationScout StationScout Image all before 1.30.0040 | CVE-2020-8265 | 8.1 | 2022-11-22 | |
OSA-1 | Denial-of-Service Vulnerability in StationGuard 1.0 | StationGuard StationGuard Image 1.00.0048 | CVE-2021-30464 | 7.5 | 2022-11-22 |
Stay informed
Below you can find our product-specific RSS feeds to stay informed about new or updated security advisories. Simply select the desired product to receive the corresponding RSS link that can be integrated into an RSS reader of your choice.