Siemens, Schneider Electric, CISA, and Rockwell Automation have released November 2024 Patch Tuesday security advisories.
Siemens has published a dozen new advisories. Based on severity score, the most important vulnerability is a critical deserialization issue in TeleControl Server Basic, which can allow an unauthenticated attacker to execute arbitrary code on the device.
In Sinec INS, Siemens patched roughly 60 vulnerabilities, including critical issues. Many of them impact third-party components used by the product. In Sinec NMS and Scalance M-800, the company addressed over a dozen flaws in each product, many of them impacting third-party components.
High-severity issues — one in each product — were addressed by Siemens in Engineering Platforms (code execution), OZW Web Servers (stored XSS), Spectrum Power 7 (local privilege escalation), Siport (privilege escalation), and Simatic CP 1543-1 (unauthorized file system access).
Siemens also informed customers that Solid Edge is affected by several flaws that can be exploited for code execution or DoS attacks by getting the targeted user to open a specially crafted file.
Medium-severity issues have been addressed by the company in Mendix Runtime (bypass account lockout measures) and Ruggedcom Crossbow Station Access Controller (code execution, DoS).
Schneider Electric has published four new advisories. One of them describes a critical EcoStruxure IT Gateway vulnerability that could allow an attacker to take control of the system and obtain sensitive information.
In PowerLogic PM5300 series power meters the industrial giant patched a high-severity DoS issue.
In Modicon M340, Momentum and MC80 controllers, the company resolved five critical and high-severity issues that can be exploited in man-in-the-middle attacks to cause a DoS condition or execute arbitrary code.
Read: Siemens and Rockwell Tackle Industrial Cybersecurity, but Face Customer Hesitation
CISA has published three new advisories. One covers three critical vulnerabilities in the Subnet PowerSystem Center OT device management platform.
The second advisory describes two vulnerabilities in Hitachi Energy TRO600 radios that could be exploited for command execution with root privileges, and to obtain valuable configuration information.
The third advisory covers a high-severity remote code execution vulnerability in Rockwell Automation’s FactoryTalk View ME.
Rockwell Automation published its own Patch Tuesday advisory for this flaw, along with a second advisory describing one critical and two high-severity issues in FactoryTalk Updater.
The FactoryTalk Updater vulnerabilities include an authentication bypass issue that allows an attacker to impersonate a user, a remote code execution bug that requires high permissions, and a local privilege escalation flaw.
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider, Phoenix Contact, CERT@VDE
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider, ABB, CISA