December 12, 2023 at 08:48AM
Siemens and Schneider Electric have published their Patch Tuesday advisories for December 2023, addressing dozens of vulnerabilities. Siemens’ advisories cover over 30 vulnerabilities, including critical flaws, and Schneider Electric has released advisories about critical, high, and medium-severity vulnerabilities affecting their products. A total of 90 vulnerabilities have been addressed by the two companies.
Based on the meeting notes, the key takeaways are:
Siemens has published 12 advisories covering over 30 vulnerabilities, with one advisory highlighting 430 GNU/Linux subsystem vulnerabilities affecting its Simatic S7-1500 CPU. The company is preparing patches for these flaws. There is also a high-severity vulnerability affecting LOGO! V8.3 BM controllers, which can be exploited for electromagnetic fault injection. Siemens has released new hardware versions to address the issue and is working on new Siplus devices that should not be vulnerable to attacks.
Additionally, Siemens has informed customers about critical and/or high-severity flaws in products such as Sinec INS, Scalance M-800/S615, Sinumerik ONE and MC, Simatic S7-1500, Sinamics S210 and S120, and User Management Component (UMC). Exploitation of these vulnerabilities can lead to denial-of-service conditions or arbitrary code execution. Medium-severity issues have been addressed in Simatic Step 7 and Sicam Q100 products. Some vulnerabilities have been patched, with plans to fix others in the future, but Siemens does not intend to release patches for some impacted products.
Schneider Electric has released three new advisories describing a total of four vulnerabilities. The most serious is a critical flaw in the Redis database used in the company’s Plant iT/Brewmaxx process control system, leading to a sandbox escape and remote code execution. The company also patched a high-severity open redirect vulnerability in its Trio licensed and license-free data radio products, as well as a medium-severity path traversal vulnerability in Easy UPS Online Monitoring Software.
These advisories highlight the need for proactive patching and security measures to address the vulnerabilities affecting products from Siemens and Schneider Electric.