September 2024 Patch Tuesday brought security advisories from several ICS vendors, including Siemens, Schneider Electric and ABB, as well as the US cybersecurity agency CISA.
Siemens published 17 new advisories. The most serious of the vulnerabilities based on its CVSS score — Siemens now includes CVSS 4.0 scores in some advisories — is a critical authentication bypass issue in the Industrial Edge Management product. The flaw could allow an unauthenticated, remote attacker to impersonate other devices onboarded to the system.
The list of critical vulnerabilities also includes unauthenticated remote code execution flaws in Simatic products, and a code injection vulnerability in Scalance W products.
Other potentially serious flaws — with severity ratings of ‘critical’ or ‘high’ — include DoS bugs in Automation License Manager and Sicam products, a privilege escalation issue in Sinumerik products, a remote code execution issue in Sinema Remote Connect Client, and a potential arbitrary code execution or crash issue in Tecnomatix Plant Simulation.
High-severity DoS bugs have been found in various Simatic products. Medium-severity issues have been addressed in Sinumerik, Sinema, and Mendix products.
Siemens has yet to release patches for some of these vulnerabilities, but mitigations and workarounds are available.
Schneider Electric has released two new advisories for two new vulnerabilities. One of them is a high-severity privilege escalation in Vijeo Designer. The second flaw is a medium-severity XSS bug that can be exploited by an authenticated attacker.
ABB has published one advisory to inform customers about two medium-severity DoS issues in Relion protection relays.
CISA has released four ICS advisories. One of them covers three critical and high-severity vulnerabilities in Viessmann Climate Solutions SE. The flaws are related to hardcoded credentials, forced browsing, and command injection, and PoC code is publicly available.
The remaining three advisories cover a high-severity file upload vulnerability in SpiderControl SCADA Web Server, a high-severity DoS bug in Rockwell Automation SequenceManager, and a medium-severity information exposure issue in BPL Medical Technologies Android applications.
ICS Patch Tuesday September 2024: Advisories Published by ABB, Siemens, Schneider, CISA
For September 2024, two dozen ICS Patch Tuesday advisories were published by Siemens, Schneider Electric, CISA and ABB.
Siemens Warns Customers of New Meltdown, Spectre Variants
(Eduard Kovacs - SecurityWeek) - Siemens recently updated its security bulletin for the Meltdown and Spectre vulnerabilities to inform customers of the latest variants, specifically the ones known as LazyFP and Spectre 1.1. Several industrial control systems (ICS) vendors published security advisories for the CPU flaws shortly after they were disclosed in early January. Siemens published a bulletin on speculative side-channel vulnerabilities on January 11. In late May, the company updated its bulletin to include information about Variant 3a and Variant 4,
Vulnerabilities Expose Siemens Central Plant Clocks to Attacks
(SecurityWeek - Eduard Kovacs) Siemens informed customers on Tuesday that some of its SICLOCK central plant clocks are affected by several vulnerabilities, including ones that have been rated “critical.” Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source. According to the German industrial giant, SICLOCK systems are affected by a total of six vulnerabilities. The security holes have been assigned
Critical Vulnerabilities Found in Siemens Building Automation, Telecontrol Products
(Eduard Kovacs / SecurityWeek) - Industrial giant Siemens this week warned that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw. One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS). The bugs affect Gemalto