Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric

Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their products. 

IT/OT Podcast

Several major industrial control systems (ICS) providers have released Patch Tuesday advisories to inform customers about vulnerabilities discovered and fixed in their products.

Siemens has published 15 new advisories. Critical vulnerabilities have been patched by the company in the Ruggedcom Crossbow server application, Simatic CN 4100, the Simatic RTLS Locating Manager, and the network communication library used in Desigo Fire Safety UL and Cerberus PRO UL fire protection systems.

Half a dozen vulnerabilities have been assigned ‘critical’ severity ratings, allowing remote code execution with elevated privileges, access to a device through weakly protected or hardcoded credentials, privilege escalation, and man-in-the-middle attacks. 

The remaining advisories address vulnerabilities that have a maximum severity rating of ‘high’. The flaws impact Simatic, Sinamics, Sinumerik, TIA Portal, Parasolid, Polarion ALM, Tecnomatix Plant Simulation, Sicam, Teamcenter Visualization, JT2Go, Solid Edge, Ruggedcom, Simcenter Nastran and other industrial products. Many of the vulnerabilities can be exploited by getting the targeted user to open a malicious file. 

Siemens has yet to release patches for some of these vulnerabilities. 

Rockwell Automation has also released a couple of advisories. The company has informed customers about a high-severity vulnerability in FactoryTalk Remote Access that can allow an attacker with admin privileges to execute arbitrary code.

Rockwell’s second advisory describes a high-severity SQL injection vulnerability in the Datalog Function within FactoryTalk View SE that could allow an attacker to obtain sensitive information or tamper with data stored in the database. 

Mitsubishi Electric on Tuesday informed customers about a dozen vulnerabilities affecting various factory automation (FA) engineering software products due to the use of Jungo WinDriver. An attacker who has access to the targeted system can exploit these flaws for arbitrary command execution, privilege escalation and DoS attacks. 

Advertisement. Scroll to continue reading.

Johnson Controls also published a new advisory on Tuesday, which does not specifically cover ICS but rather other types of operational technology (OT). The advisory informs customers about a vulnerability in the C•CURE 9000 access control and event management solution. The security issue can allow an attacker to obtain credentials used to access the application.

The US cybersecurity agency CISA informed organizations about the Rockwell, Mitsubishi and Johnson advisories on Tuesday. 

CISA also published an advisory for vulnerabilities found in a substation management product made by Subnet Solutions.

Schneider Electric has not released any new advisories this Patch Tuesday.

Related: Organizations Informed of 10 Vulnerabilities in Rockwell Automation Products 

Related: Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability

Related: ICS Patch Tuesday: Siemens Addresses Palo Alto Networks Product Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights