Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities

Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.

Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products. 

Siemens

Siemens has published six new advisories describing 26 vulnerabilities. The company has informed customers about two critical flaws in Siveillance Video products that can be exploited for authenticated remote code execution.

The Scalance local processing engine (LPE) is affected by one critical and four low-severity issues. The flaws can be exploited to access the underlying operating system with elevated privileges, access data, and cause a DoS condition. 

Several critical and high-severity vulnerabilities have been patched in third-party components used by the Sinec network management system.

Issues related to command injection, hardcoded credentials, path traversal, information access, and DoS have been addressed in the Simatic Cloud Connect 7 IoT gateway.

Siemens has patched several vulnerabilities that can be exploited using specially crafted files for code execution, information disclosure and DoS attacks in Solid Edge tools. 

The company has also notified customers about a Wi-Fi client isolation bypass attack that allows an attacker to intercept traffic at the MAC layer. The issue affects Scalance devices, but a fix has yet to be released. 

Advertisement. Scroll to continue reading.

For all other vulnerabilities, Siemens has released patches.

Schneider Electric

Schneider Electric has published four new advisories that describe half a dozen vulnerabilities. 

One advisory covers a high-severity vulnerability affecting PowerLogic power meters. The flaw allows an attacker who can intercept network traffic to obtain sensitive information, modify data, or cause a DoS condition.

Another advisory informs customers about an OPC Factory Server vulnerability that can be exploited to obtain sensitive information. 

Two of the Schneider advisories inform customers about vulnerabilities affecting Aveva products — Schneider acquired Aveva earlier this year. Aveva published its own advisories for the vulnerabilities, which include critical and high-severity issues, in March.  

[ Read: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms ] 

The French industrial giant also notified customers recently that it’s aware of the public availability of a PoC exploit targeting KNX home and building automation systems. 

The PoC exploit that Schneider is warning about, published in March, impacts the company’s spaceLYnk, Wiser for KNX, and FellerLYnk products. The exploit targets two known vulnerabilities: one addressed by the vendor in February 2022 (CVE-2022-22809) and one addressed in August 2020 (CVE-2020-7525). 

Schneider issued a warning over KNX attacks back in 2021 and now says “this new exploit brings further attention to the recommended mitigations in that security bulletin”.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com

Related: Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.