Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Advisories Released by Siemens, Schneider, Rockwell, Aveva

ICS Patch Tuesday advisories have been published by Siemens, Schneider Electric, Rockwell Automation, Aveva and CISA.

ICS Patch Tuesday

Industrial control system (ICS) security advisories were published on Tuesday by Siemens, Schneider Electric, Rockwell Automation, Aveva, and the US cybersecurity agency CISA.

Siemens has published nine new advisories covering roughly 50 vulnerabilities. Nearly 30 flaws, including ones rated ‘critical severity’ and ‘high severity’ were found in the SINEC Network Management System (NMS) product. 

A majority of the flaws impact third-party components, and the list includes CVE-2023-44487, the vulnerability exploited in the wild for record-breaking HTTP/2 Rapid Reset DDoS attacks. 

High-severity vulnerabilities that can lead to remote code execution, denial of service (DoS), or information disclosure have been patched by Siemens in Intralog WMS, Teamcenter Visualization, JT2Go, NX, Scalance M-800, Sinec Traffic Analyzer, and Comos products.

Siemens patched medium-severity password protection-related issues in Location Intelligence and Logo.

Schneider Electric has published two new advisories. One of them informs customers about an EcoStruxure Machine SCADA Expert and Blue Open Studio vulnerability introduced by the use of an Aveva component. Aveva addressed the issue, which can be exploited for privilege escalation, in January 2024. 

Schneider’s second advisory describes a high-severity DoS vulnerability affecting the Accutech Manager software, which is designed for configuring and monitoring Accutech Wireless sensors. The flaw can be exploited without authentication. 

Industrial software maker Aveva has published three new advisories — all with a severity rating of ‘high’.

Advertisement. Scroll to continue reading.

They address a DoS vulnerability in SuiteLink Server, code execution and file manipulation in Aveva Reports for Operations, and an SQL injection bug in Historian Server. 

Rockwell Automation has published nine new advisories, which cover 10 vulnerabilities impacting the company’s products. The security holes have been assigned ‘medium’ and ‘high’ severity ratings. 

The list includes arbitrary code execution flaws in AADvance and FactoryTalk products, and DoS flaws in CompactLogix, GuardLogix, ControlLogix and Micro controllers. Rockwell has also patched an authentication bypass bug in DataMosaix, a DLL hijacking vulnerability in Emulate3D, and an unencrypted data issue in Pavilion8. 

CISA has published 10 ICS advisories, a majority covering the Rockwell Automation product vulnerabilities disclosed on Tuesday by the vendor. Two advisories cover the Aveva SuiteLink Server bug and vulnerabilities in Ocean Data Systems Dream Report.

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com

Related: ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories

Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA

Related: ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights