You are here

CSIRT : Computer Security Incident Reponse Team

CSIRT : Computer Security Incident Reponse Team

How to contact the Panorama CSIRT

If you want to alert us or send a comment on this topic, please use this form.

Security Bulletins

Security Bulletins are documents designed to :

  • inform on best practices and news in Cybersecurity
  • alert users on vulnerabilities identified in our software and describe their solution.

When the solution requires a Panorama update, You will have to log on our technical website https://esupport.codra.net.
 

 
DateReferenceDescriptionBulletin
7 Jun 19Pano/BS011-ENHardening of the TLS configuration for Panorama functions accessible via HTTPS
Several Panorama features can expose an HTTPS server to their client: OPC-UA data server, Historian OPC-UA-HA server, mobile HMI server, SigFox and LoRa acquisition (from Panorama Suite 2019). In order to harden the default configuration of Windows and reduce the risk of attacks on HTTPS servers exposed by Panorama, you must limit supported TLS protocol versions and cypher suites
PDFPanorama_bs-011-en-v1.1.pdf
27 May 19Pano/BS010-ENFailure to authenticate Panorama OPC-UA server HTTPS clients
and add access control based on a list of thumbprints

If the Panorama OPC-UA server function is enabled and usable through HTTPS, then it is possible for an attacking client, located on the same network as the server, to connect to the server without being authenticated and to bypass the access control, despite the security configuration of the server requiring authentication.
PDFPanorama_bs-010-en-v1.1.pdf
24 Apr 19Pano/BS009-ENLimit interfaces listened by the OPC-UA server of Panorama
By default, OPC-UA clients can connect from all network interfaces of a functional server to use the "OPC-UA Data Server" function. In order to strengthen station configuration, ports usable to establish a connection with the server must be limited to the network interface dedicated to communication with the OPC-UA clients.
PDFPanorama_bs-009-en-v1.1.pdf
23 Apr 19Pano/BS008-ENLimiting access of Panorama’s OPC-UA Server clients
Panorama's "OPC-UA Data Server" feature enables an OPC-UA client to access the properties and methods exposed by the objects in the Panorama application. In its default configuration, the OPC-UA server provides read-write access to all modifiable properties at run-time, and the call of all object methods.
PDFPanorama_bs-008-en-v1.1.pdf
23 Apr 19Pano/BS007-ENRecommendation to stop using OPC UA Basic128Rsa15 and Basic256 bindings
The Basic128Rsa15 and Basic256 security policies of the OPC UA bindings use cryptographic algorithms that are no longer strong enough to guarantee the confidentiality of the information transmitted in an OPC UA communication between a client and its server.
PDFPanorama_bs-007-en-v1.1.pdf
26 Oct 18Pano/BS006-ENOPC UA security vulnerabilities
If the OPC-UA server function has been activated, in specific cases, then an attacking client can trigger a stack overflow in OPC UA server by sending malicious queries.
PDFPanorama_BS-006-EN-V1.1.pdf
26 Oct 18Pano/BS005-ENOPC binding Basic128Rsa15 is deprecated
OPC UA Basic128Rsa15 cryptosuite relies on cryptographic algorithms that are not strong enough today to ensure privacy on encrypted communications between an OPC UA client and its server. It is therefore recommended to stop using this cryptosuite on UA bindings, and to use Basic256 and Basic256Sha256 instead.
PDFPanorama_BS-005-EN-V1.2.pdf
26 Oct 18Pano/BS004-ENStrengthening machine identity control
Machine authentication was not guaranteed in the Active Directory domain, which could lead to identity theft for a server machine on an unsecured network. This possibility of spoofing would allow an attacker to compromise the confidentiality and integrity policies of the network flows from and to the functional servers.
PDFPanorama_BS-004-EN-V1.2.pdf
26 Oct 18Pano/BS003-ENPanorama services configuration hardening (update)
This security update provides complements to the Panorama security recommendations in the Panorama Suite 2017 manual.
PDFPanorama_BS-003-en-v1.3.pdf
26 Oct 18Pano/BS002-ENComplements for SNMP-V3 mode TSM
This security update contains changes and fixes for SNMP-V3 in TSM mode (secured by the DTLS transport layer).
PDFPanorama_BS-002-EN-V1.2.pdf
26 Oct 18Pano/BS001-ENUpdate of Panorama Suite online help and Network and Security tool
This security update provides additional guidelines on the security implementation for Panorama and a new version of the Network and Security tool in line with these new guidelines.
PDFPanorama_BS-001-EN-V1.2.pdf