Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA

Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their industrial and OT products. 

ICS Patch Tuesday

The June 2024 Patch Tuesday brings advisories from several ICS vendors, including Siemens, Schneider Electric and Aveva, as well as the US cybersecurity agency CISA.

Siemens

Siemens has published 14 new advisories that cover more than 120 vulnerabilities. The company has made available patches and/or mitigations for these security holes. 

A majority of the flaws impact third-party components and their existence has been known since at least last year. 

The list of noteworthy vulnerabilities includes a critical authentication bypass flaw in the PowerSys service program for PowerLink 50/100 and SWT 3000 devices. This weakness allows a local attacker to gain admin privileges for the managed remote devices.

Siemens has also addressed high-severity code execution vulnerabilities in Tecnomatix Plant Simulation, Teamcenter Visualization, JT2Go, and SICAM AK3/TM/BC devices. 

High-severity issues have also been resolved in Simatic S7-200 devices and Sinec Traffic Analyzer. 

Aveva

Advertisement. Scroll to continue reading.

Industrial software maker Aveva published two new security advisories on Tuesday. One of them informs customers about a high-severity local code execution vulnerability in the PI Asset Framework (AF) Client.

The second advisory covers a high-severity remote code execution vulnerability impacting the PI Web API. Both flaws are related to the deserialization of untrusted data. 

Schneider Electric

Schneider Electric has published five new advisories describing a total of 11 vulnerabilities.

Six flaws have been patched by the industrial giant in SAGE RTUs, including a critical authentication bypass vulnerability, two high-severity issues that can be exploited to cause disruption and for unauthorized file or firmware uploads, and three medium-severity DoS flaws.

The remaining advisories published by Schneider on Tuesday address medium-severity flaws found in Modicon M340 programmable automation controllers, PowerLogic P5 protection relays, EVlink Home Smart EV charging stations, and SpaceLogic controllers.

Exploitation of these vulnerabilities can lead to unauthorized firmware updates, device hijacking, DoS attacks, exposure of the local network, privilege escalation, and the exposure of sensitive information.

CISA

CISA on Tuesday published several ICS advisories, including for a high-severity DoS vulnerability in Rockwell Automation ControlLogix, GuardLogix, and CompactLogix controllers, a critical code execution and data exposure issue in Intrado 911 Emergency Gateway, and two high-severity information disclosure and code execution flaws in MicroDicom medical software. 

Related: Cisco Finds 15 Vulnerabilities in AutomationDirect PLCs

Related: ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights