Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.

Siemens and Schneider Electric have addressed a total of nearly 100 vulnerabilities with their February 2023 Patch Tuesday advisories. 

Siemens 

Siemens has published 13 new advisories covering a total of 86 vulnerabilities. 

The most significant vulnerability — based on its CVSS score of 10 — is a memory corruption issue that can lead to a denial-of-service (DoS) condition or arbitrary code execution in the Comos plant engineering software. 

This vulnerability was identified by Siemens’ own employees, which is not surprising. According to a recent report from industrial cybersecurity firm SynSaber, Siemens’ product security team self-reported 544 vulnerabilities in 2022, up from 230 in the previous year. It’s worth noting that many of the flaws addressed by Siemens in its products are actually introduced by third-party components. 

Siemens has patched roughly a dozen critical and high-severity vulnerabilities in its Brownfield Connectivity product. Exploitation of the flaws can lead to a DoS condition. 

Advertisement. Scroll to continue reading.

Some of the high-severity flaws addressed by Siemens in its latest round of Patch Tuesday advisories are related to the BIOS, specifically vulnerabilities resolved by Intel and Insyde in November 2022, including issues related to a type of attack dubbed RingHopper

[ Read: Cyber Insights 2023 | ICS and Operational Technology ]

High-severity vulnerabilities that can be exploited for code execution and DoS attacks by tricking targeted users into processing specially crafted files have been patched in Tecnomatix Plant Simulation, JT Open Toolkit, JT Utilities, Parasolid, Solid Edge, and Simcenter Femap.

A security hole in SiPass integrated ACC that can be exploited to escalate privileges to root, and a DoS flaw in some Scalance switches have also been rated ‘high severity’.

For some of the impacted products, Siemens has yet to release fixes. 

Schneider Electric 

Schneider Electric has published three advisories covering 10 vulnerabilities. One advisory describes nine high- and medium-severity issues discovered in the company’s StruxureWare Data Center Expert monitoring software.

Exploitation of the vulnerabilities can lead to remote code/command execution or privilege escalation. 

Another advisory describes one high-severity improper authentication flaw affecting Merten KNX products. 

The third advisory informs Schneider Electric customers of a medium-severity issue in EcoStruxure Geo SCADA Expert that can allow hackers to falsify logs. 

Related: Siemens License Manager Vulnerabilities Allow ICS Hacking

Related: 2022 ICS Attacks: Fewer-Than-Expected on US Energy Sector, But Ransomware Surged

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.