September 2024 Patch Tuesday brought security advisories from several ICS vendors, including Siemens, Schneider Electric and ABB, as well as the US cybersecurity agency CISA.
Siemens published 17 new advisories. The most serious of the vulnerabilities based on its CVSS score — Siemens now includes CVSS 4.0 scores in some advisories — is a critical authentication bypass issue in the Industrial Edge Management product. The flaw could allow an unauthenticated, remote attacker to impersonate other devices onboarded to the system.
The list of critical vulnerabilities also includes unauthenticated remote code execution flaws in Simatic products, and a code injection vulnerability in Scalance W products.
Other potentially serious flaws — with severity ratings of ‘critical’ or ‘high’ — include DoS bugs in Automation License Manager and Sicam products, a privilege escalation issue in Sinumerik products, a remote code execution issue in Sinema Remote Connect Client, and a potential arbitrary code execution or crash issue in Tecnomatix Plant Simulation.
High-severity DoS bugs have been found in various Simatic products. Medium-severity issues have been addressed in Sinumerik, Sinema, and Mendix products.
Siemens has yet to release patches for some of these vulnerabilities, but mitigations and workarounds are available.
Schneider Electric has released two new advisories for two new vulnerabilities. One of them is a high-severity privilege escalation in Vijeo Designer. The second flaw is a medium-severity XSS bug that can be exploited by an authenticated attacker.
ABB has published one advisory to inform customers about two medium-severity DoS issues in Relion protection relays.
CISA has released four ICS advisories. One of them covers three critical and high-severity vulnerabilities in Viessmann Climate Solutions SE. The flaws are related to hardcoded credentials, forced browsing, and command injection, and PoC code is publicly available.
The remaining three advisories cover a high-severity file upload vulnerability in SpiderControl SCADA Web Server, a high-severity DoS bug in Rockwell Automation SequenceManager, and a medium-severity information exposure issue in BPL Medical Technologies Android applications.
ICS Patch Tuesday September 2024: Advisories Published by ABB, Siemens, Schneider, CISA
For September 2024, two dozen ICS Patch Tuesday advisories were published by Siemens, Schneider Electric, CISA and ABB.