Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Advisories Published by Siemens, Schneider, ABB, CISA

Two dozen ICS Patch Tuesday advisories have been published by Siemens, Schneider Electric, CISA and ABB.

ICS Patch Tuesday

The September 2024 Patch Tuesday brings security advisories from several industrial control system (ICS) vendors, including Siemens, Schneider Electric and ABB, as well as the US cybersecurity agency CISA.

Siemens has published 17 new advisories. The most serious of the vulnerabilities based on its CVSS score — Siemens now includes CVSS 4.0 scores in some advisories — is a critical authentication bypass issue in the Industrial Edge Management product. The flaw could allow an unauthenticated, remote attacker to impersonate other devices onboarded to the system.

The list of critical vulnerabilities also includes unauthenticated remote code execution flaws in Simatic products, and a code injection vulnerability in Scalance W products. 

Other potentially serious flaws — with severity ratings of ‘critical’ or ‘high’ — include DoS bugs in Automation License Manager and Sicam products, a privilege escalation issue in Sinumerik products, a remote code execution issue in Sinema Remote Connect Client, and a potential arbitrary code execution or crash issue in Tecnomatix Plant Simulation. 

High-severity DoS bugs have been found in various Simatic products. Medium-severity issues have been addressed in Sinumerik, Sinema, and Mendix products. 

Siemens has yet to release patches for some of these vulnerabilities, but mitigations and workarounds are available. 

Schneider Electric has released two new advisories for two new vulnerabilities. One of them is a high-severity privilege escalation in Vijeo Designer. The second flaw is a medium-severity XSS bug that can be exploited by an authenticated attacker. 

ABB has published one advisory to inform customers about two medium-severity DoS issues in Relion protection relays. 

Advertisement. Scroll to continue reading.

CISA has released four ICS advisories. One of them covers three critical and high-severity vulnerabilities in Viessmann Climate Solutions SE. The flaws are related to hardcoded credentials, forced browsing, and command injection, and PoC code is publicly available. 

The remaining three advisories cover a high-severity file upload vulnerability in SpiderControl SCADA Web Server, a high-severity DoS bug in Rockwell Automation SequenceManager, and a medium-severity information exposure issue in BPL Medical Technologies Android applications.

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com

Related: ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories

Related: ICS Patch Tuesday: Advisories Released by Siemens, Schneider, Rockwell, Aveva

Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.