ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Siemens and Schneider Electric have addressed a total of nearly 100 vulnerabilities with their February 2023 Patch Tuesday advisories. 

Siemens 

Siemens has published 13 new advisories covering a total of 86 vulnerabilities. 

The most significant vulnerability — based on its CVSS score of 10 — is a memory corruption issue that can lead to a denial-of-service (DoS) condition or arbitrary code execution in the Comos plant engineering software. 

This vulnerability was identified by Siemens’ own employees, which is not surprising. According to a recent report from industrial cybersecurity firm SynSaber, Siemens’ product security team self-reported 544 vulnerabilities in 2022, up from 230 in the previous year. It’s worth noting that many of the flaws addressed by Siemens in its products are actually introduced by third-party components. 

Siemens has patched roughly a dozen critical and high-severity vulnerabilities in its Brownfield Connectivity product. Exploitation of the flaws can lead to a DoS condition. 

Some of the high-severity flaws addressed by Siemens in its latest round of Patch Tuesday advisories are related to the BIOS, specifically vulnerabilities resolved by Intel and Insyde in November 2022, including issues related to a type of attack dubbed RingHopper. 

[ Read: Cyber Insights 2023 | ICS and Operational Technology ]

High-severity vulnerabilities that can be exploited for code execution and DoS attacks by tricking targeted users into processing specially crafted files have been patched in Tecnomatix Plant Simulation, JT Open Toolkit, JT Utilities, Parasolid, Solid Edge, and Simcenter Femap.

A security hole in SiPass integrated ACC that can be exploited to escalate privileges to root, and a DoS flaw in some Scalance switches have also been rated ‘high severity’.

For some of the impacted products, Siemens has yet to release fixes. 

Schneider Electric 

Schneider Electric has published three advisories covering 10 vulnerabilities. One advisory describes nine high- and medium-severity issues discovered in the company’s StruxureWare Data Center Expert monitoring software.

Exploitation of the vulnerabilities can lead to remote code/command execution or privilege escalation. 

Another advisory describes one high-severity improper authentication flaw affecting Merten KNX products. 

The third advisory informs Schneider Electric customers of a medium-severity issue in EcoStruxure Geo SCADA Expert that can allow hackers to falsify logs. 

Related: Siemens License Manager Vulnerabilities Allow ICS Hacking

Related: 2022 ICS Attacks: Fewer-Than-Expected on US Energy Sector, But Ransomware Surged