Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities

Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities.

Siemens

Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities.

Siemens

Siemens has released 19 new advisories that describe 46 vulnerabilities affecting the company’s products. Two advisories are for flaws that have been rated “critical” with a CVSS score of 10.

As a sidenote, CVSS scores are often misleading in the case of vulnerabilities found in industrial control systems (ICS), but vendors often highlight the CVSS score so this summary will also focus on the security holes with the highest scores. Industrial organizations should check all advisories from the two vendors and assess the risks for their specific environment.

One of the advisories describes three critical and high-severity vulnerabilities in the SIMATIC CP 1543-1 communication processor. Siemens says exploitation of the flaws can lead to arbitrary code execution with elevated privileges, but attacks can only be launched if the Remote Connect Server (SRCS) VPN feature is used — the feature is not enabled by default.

The second advisory describes one critical and one high-severity vulnerability in the SIMATIC eaSie digital assistant. The bugs can be exploited remotely to send arbitrary requests to the system and cause a DoS condition.

Another critical vulnerability addressed in Siemens’ latest round of advisories is a DHCP issue that affects older SINAMICS Perfect Harmony GH180 drives and can allow access to the drive’s internal network.

The company has also informed customers about a critical authentication bypass vulnerability in the Opcenter Quality quality management system.

Advertisement. Scroll to continue reading.

SCALANCE X switches are affected by several critical and high-severity flaws that can be exploited for DoS attacks or brute force attacks that can lead to session hijacking.

Ten advisories describe high-severity vulnerabilities. One of them covers 20 vulnerabilities in the company’s PADS Viewer product, which can be exploited for remote code execution by tricking the targeted user into opening a specially crafted file.

Learn more about vulnerabilities in industrial systems at

SecurityWeek’s ICS Cyber Security Conference

Other high-severity advisories describe issues in EN100 Ethernet modules, RUGGEDCOM ROS and ROX devices, SIMATIC MV500 devices, Simcenter Femap and Parasolid design tools, JT2Go and Teamcenter visualization products, and SICAM A8000 devices. They include command injection, DoS, remote code execution, and authentication issues.

Medium-severity vulnerabilities have been found in Mendix applications and SICAM GridEdge software.

Siemens has started releasing patches, but fixes may not yet be available for certain products. Until these patches do become available, the vendor recommends mitigations and workarounds.

Schneider Electric

Schneider Electric has released four new advisories that describe 13 vulnerabilities. One of them describes a high-severity OS command injection issue in the SpaceLogic C-Bus Home Controller product.

Schneider has also informed customers that some of its OPC UA and X80 advanced RTU communication modules are affected by three high-severity vulnerabilities that can be exploited for DoS attacks, as well as four medium-severity bugs that could allow an attacker to load an unauthorized firmware image.

The company has also released an advisory for high- and medium-severity flaws in Easergy P5 protection relays that could allow an attacker to cause a DoS condition, obtain a device’s credentials, or gain full control of a relay.

One medium-severity vulnerability that can be leveraged to gain access to other devices on the network has been found in Schneider’s Acti9 PowerTag Link C energy monitoring product.

The vendor has released patches and/or mitigations for these vulnerabilities.

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 80 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.