ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric

ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric

November 14, 2023 at 09:27AM

Siemens and Schneider Electric have released their Patch Tuesday advisories for November 2023, addressing a total of around 90 vulnerabilities in their products. Siemens has informed customers about vulnerabilities in several of their devices and software, with some being critical and high-severity. Siemens plans to release patches for most of these vulnerabilities, but some products won’t receive fixes. Schneider Electric has also released advisories, patching vulnerabilities in EcoStruxure Power products, PowerLogic products, and Galaxy UPS devices.

Key Takeaways from the Meeting Notes:

1. Siemens has released 14 advisories addressing over 80 vulnerabilities in their products, with a focus on critical vulnerabilities in various devices and systems.
– Critical vulnerabilities have been addressed in Simatic MV500 stationary optical readers, Sinec PNI device initialization program, Siprotec protection devices, Scalance routers, and Desigo CC building management system.
– High-severity vulnerabilities have been identified in Scalance communication devices, Nozomi Networks security software used in Ruggedcom devices, Simatic PCS Neo distributed control systems, Simcenter Femap simulation application, Tecnomatix Plant Simulation software, Mendix Studio Pro development platform, and Siemens OPC UA Modeling Editor.
– Exploitation of these vulnerabilities can result in arbitrary code execution, denial-of-service attacks, information exposure, and privilege escalation.
– Siemens has released or plans on releasing patches for most vulnerabilities, but some products will not receive fixes.

2. Schneider Electric has released three advisories addressing five vulnerabilities in their products.
– In EcoStruxure Power products, Schneider Electric addressed a high-severity vulnerability that can redirect users to an arbitrary domain and a medium-severity flaw that allows arbitrary JavaScript execution through a cross-site scripting attack.
– In PowerLogic products, Schneider patched a high-severity issue that enables the upload of malicious firmware to a device and a medium-severity bug that allows an attacker with elevated privileges to compromise the user’s browser.
– The third advisory describes a medium-severity flaw in Galaxy UPS devices that can lead to file system enumeration and file downloads.

Overall, both Siemens and Schneider Electric are actively addressing vulnerabilities in their products by releasing advisories and patches to protect their customers from potential exploits.

Full Article