Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

Siemens

Siemens has released only seven new advisories, but they describe a total of 92 vulnerabilities. However, a vast majority are introduced by the use of third-party components rather than being specific to Siemens products.

For instance, 65 vulnerabilities affecting components such as the Linux kernel, Busybox, OpenSSL and OpenVPN have been patched in Ruggedcom and Scalance products. Exploitation of these flaws can lead to a denial of service (DoS) condition or to code injection.

Seventeen vulnerabilities affecting third-party components have been patched in Scalance devices. Exploitation of these security holes can lead to a DoS condition or the disclosure of sensitive data.

Siemens has also announced that several OpenSSL vulnerabilities have been addressed in Scalance W1750D devices. 

A high-severity DoS vulnerability affecting Wind River VxWorks has been patched in Siprotec 5 devices.

[ Read: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms ] 

Advertisement. Scroll to continue reading.

In addition to vulnerabilities affecting third-party components, Siemens has informed customers about a critical authentication bypass issue affecting the Mendix SAML module. 

The company has also disclosed privilege escalation, information disclosure, and SQL injection bugs in Ruggedcom Crossbow devices, including high-severity issues. 

It’s worth noting that Siemens has yet to release actual patches for some of these vulnerabilities. In some cases, only mitigations are currently available. 

Schneider Electric

Schneider Electric has published three new advisories covering a total of 10 vulnerabilities. 

One advisory describes a critical vulnerability in PowerLogic power meters. The flaw can be exploited for DoS attacks or remote code execution.

Another advisory describes eight security holes found in the IGSS SCADA product. Various modules of IGSS are affected by DoS and remote code execution issues that have been assigned ‘high’ and ‘medium’ severity ratings. 

The last advisory informs users about a session hijacking issue affecting the EcoStruxure Power Monitoring Expert product.

Siemens and Schneider on Tuesday also updated dozens of previous advisories to inform customers about the availability of patches, new CVEs, changes in affected product lists, and other information.

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Related: ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Related: 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.