Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Security Advisories Released by Siemens, Schneider, CISA, Others

December 2024 ICS Patch Tuesday brings advisories from CISA, as well as several major industrial automation companies. 

ICS Patch Tuesday

The December 2024 ICS Patch Tuesday brings advisories from the cybersecurity agency CISA, as well as several major industrial automation companies. 

Schneider Electric published three new advisories this Patch Tuesday. One advisory describes a critical flaw in Modicon controllers that can allow an unauthenticated attacker to cause disruption to operations. 

Another advisory describes a high-severity issue in Harmony and Pro-face HMI products, which could “cause complete control of the device when an authenticated user installs malicious code into the HMI product”.

The third advisory describes a medium-severity DoS bug in the PowerChute Serial Shutdown UPS management software.

Siemens has published 10 new advisories. The most serious, based on its CVSS score, is a high-severity CSRF issue in Ruggedcom ROX II devices that could allow an attacker to conduct actions on behalf of an authenticated user by tricking the target into clicking on a malicious link. 

The industrial giant has also addressed two high-severity arbitrary code execution vulnerabilities in Simatics S7 products that use TIA Portal prior to version 20.

Multiple high-severity code execution issues were addressed in Teamcenter Visualization, Solid Edge, Parasolid and Simcenter Femap. They can be exploited by getting the targeted user to open a specially crafted file.

Medium-severity issues were addressed in Sentron Powercenter (DoS), Sicam A8000 (firmware decryption), and Comos (XXE injection) products. 

Advertisement. Scroll to continue reading.

As usual, Siemens has released patches for some of these vulnerabilities, but for some flaws a patch is pending or not planned at all. Mitigations and workarounds are also available.

A few days before Patch Tuesday, Rockwell Automation published an advisory to inform customers about four vulnerabilities in the Arena event simulation and automation software. The flaws have a ‘high severity’ rating and they can be exploited for arbitrary code execution using specially crafted files.

CISA published seven new ICS advisories on Tuesday, including for some Schneider Electric and the Rockwell vulnerabilities. In addition, the cybersecurity agency has informed organizations about code execution vulnerabilities discovered by researcher Michael Heinzl in Horner Automation Cscape and National Instruments’ LabVIEW product. Another advisory describes a critical default credentials flaw found by DNV researchers in MOBATIME’s Network Master Clock.

Germany-based industrial automation firm Phoenix Contact published two new advisories just before Patch Tuesday to inform customers about vulnerabilities in PLCnext firmware. The advisories describe dozens of security holes found over the past two years in third-party software.

Related: Chipmaker Patch Tuesday: Intel Publishes 44 and AMD Publishes 8 New Advisories

Related: ICS Patch Tuesday: Security Advisories Released by CISA, Schneider, Siemens, Rockwell 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.