ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

Siemens

Siemens has released only seven new advisories, but they describe a total of 92 vulnerabilities. However, a vast majority are introduced by the use of third-party components rather than being specific to Siemens products.

For instance, 65 vulnerabilities affecting components such as the Linux kernel, Busybox, OpenSSL and OpenVPN have been patched in Ruggedcom and Scalance products. Exploitation of these flaws can lead to a denial of service (DoS) condition or to code injection.

Seventeen vulnerabilities affecting third-party components have been patched in Scalance devices. Exploitation of these security holes can lead to a DoS condition or the disclosure of sensitive data.

Siemens has also announced that several OpenSSL vulnerabilities have been addressed in Scalance W1750D devices. 

A high-severity DoS vulnerability affecting Wind River VxWorks has been patched in Siprotec 5 devices.

[ Read: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms ] 

In addition to vulnerabilities affecting third-party components, Siemens has informed customers about a critical authentication bypass issue affecting the Mendix SAML module. 

The company has also disclosed privilege escalation, information disclosure, and SQL injection bugs in Ruggedcom Crossbow devices, including high-severity issues. 

It’s worth noting that Siemens has yet to release actual patches for some of these vulnerabilities. In some cases, only mitigations are currently available. 

Schneider Electric

Schneider Electric has published three new advisories covering a total of 10 vulnerabilities. 

One advisory describes a critical vulnerability in PowerLogic power meters. The flaw can be exploited for DoS attacks or remote code execution.

Another advisory describes eight security holes found in the IGSS SCADA product. Various modules of IGSS are affected by DoS and remote code execution issues that have been assigned ‘high’ and ‘medium’ severity ratings. 

The last advisory informs users about a session hijacking issue affecting the EcoStruxure Power Monitoring Expert product.

Siemens and Schneider on Tuesday also updated dozens of previous advisories to inform customers about the availability of patches, new CVEs, changes in affected product lists, and other information.

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Related: ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Related: 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider