The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.
Siemens has published six new advisories that describe a total of 20 vulnerabilities. Security updates are available for many of the affected products, but some will not get patches.
Based on CVSS score — note that CVSS scores can be misleading for ICS vulnerabilities — the most important advisory describes a dozen flaws in Sinec INS (Infrastructure Network Services).
The security holes, all rated ‘critical’ or ‘high severity’, could allow an attacker to read and write
arbitrary files, which could ultimately lead to malicious code execution on the device. Some of the vulnerabilities impact third-party components.
Another advisory describes a critical reflected cross-site scripting (XSS) vulnerability in the Mendix SAML module. An attacker can exploit the weakness to obtain sensitive information by tricking the targeted user into clicking on a link, but exploitation is only possible on certain non-default configurations.
Siemens has informed customers about two high-severity vulnerabilities in Automation License Manager. One issue can allow an unauthenticated attacker to remotely rename and move files, while the other can be exploited for remote code execution if chained with the first vulnerability.
Remote code execution vulnerabilities have been patched in JT Open Toolkit, JT Utilities and Solid Edge. Exploitation involves getting the targeted user to open a specially crafted file.
Researchers have found a hardware issue in S7-1500 CPUs that can allow an attacker with physical access to a device to replace the boot image and execute arbitrary code.
“Siemens has released new hardware versions for several CPU types of the S7-1500 product family in which this vulnerability is fixed and is working on new hardware versions for remaining PLC types to address this vulnerability completely,” Siemens said.
Schneider Electric has also released six new advisories, but they only cover a total of seven vulnerabilities.
The company has informed customers about the availability of patches for critical and high-severity vulnerabilities in the EcoStruxure Geo SCADA Expert product, which can be exploited for DoS attacks and obtaining sensitive information.
In its EcoStruxure Power Operation and Power SCADA Operation software, the industrial giant found a high-severity issue that can be exploited for DoS attacks.
EcoStruxure Power SCADA Anywhere is affected by a high-severity flaw that can be leveraged for OS command execution, but exploitation requires authentication.
EcoStruxure Control Expert, EcoStruxure Process Expert and Modicon PLCs are impacted by a vulnerability that could allow arbitrary code execution and DoS attacks using specially crafted project files. These products are also impacted by an authentication bypass flaw.
Lastly, the EcoStruxure Machine Expert HVAC product is affected by a medium-severity information disclosure issue.