Siemens and Schneider Electric on Tuesday released a total of nine new security advisories addressing a total of 50 vulnerabilities affecting their industrial products.
Siemens
Siemens has released five new advisories to inform customers about the availability of patches for more than 40 vulnerabilities.
In its Simatic CN 4100 communication system, Siemens patched a critical issue that can be exploited to gain admin access and take complete control of a device, as well as a high-severity bug that can allow an attacker to bypass network isolation.
In Ruggedcom ROX products, the industrial giant fixed 21 vulnerabilities, including ones that can be exploited to obtain information, execute arbitrary commands or code, cause a DoS condition, or perform arbitrary actions through CSRF attacks. A majority have ‘critical’ or ‘high’ severity ratings, and some of these security holes impact third-party components.
Over a dozen vulnerabilities, including critical- and high-severity bugs, have been addressed in Simatic MV500 optical readers, including in their web server and third-party components. Exploitation can lead to DoS or information disclosure.
Patches have also been released for six high-severity issues in the Tecnomatix Plant Simulation software. They allow an attacker to crash the application or potentially execute arbitrary code by getting the targeted user to open specially crafted files.
Siemens also resolved a high-severity DoS issue in the SiPass access control system.
Schneider Electric
Schneider Electric has released four new advisories. They cover six vulnerabilities that are specific to the company’s products and over a dozen flaws affecting a third-party component, the Codesys runtime system V3 communication server.
The Codesys flaws impact PacDrive and Modicon controllers, Harmony HMIs, and the SoftSPS simulation runtime embedded in EcoStruxure Machine Expert. Exploitation of the security holes can lead to DoS and possibly remote code execution.
In the StruxureWare Data Center Expert (DCE) monitoring software, Schneider patched two high-severity and two medium-severity issues that can lead to unauthorized access or remote code execution.
A high-severity flaw has been patched in the Accutech Manager application for sensors, and a medium-severity information disclosure issue has been fixed in the EcoStruxure OPC UA Server Expert product.
Schneider Electric and Siemens Energy recently confirmed being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day vulnerability.
Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities
Related: ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities