Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

Siemens

Siemens has released only seven new advisories, but they describe a total of 92 vulnerabilities. However, a vast majority are introduced by the use of third-party components rather than being specific to Siemens products.

For instance, 65 vulnerabilities affecting components such as the Linux kernel, Busybox, OpenSSL and OpenVPN have been patched in Ruggedcom and Scalance products. Exploitation of these flaws can lead to a denial of service (DoS) condition or to code injection.

Seventeen vulnerabilities affecting third-party components have been patched in Scalance devices. Exploitation of these security holes can lead to a DoS condition or the disclosure of sensitive data.

Siemens has also announced that several OpenSSL vulnerabilities have been addressed in Scalance W1750D devices. 

A high-severity DoS vulnerability affecting Wind River VxWorks has been patched in Siprotec 5 devices.

[ Read: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms ] 

Advertisement. Scroll to continue reading.

In addition to vulnerabilities affecting third-party components, Siemens has informed customers about a critical authentication bypass issue affecting the Mendix SAML module. 

The company has also disclosed privilege escalation, information disclosure, and SQL injection bugs in Ruggedcom Crossbow devices, including high-severity issues. 

It’s worth noting that Siemens has yet to release actual patches for some of these vulnerabilities. In some cases, only mitigations are currently available. 

Schneider Electric

Schneider Electric has published three new advisories covering a total of 10 vulnerabilities. 

One advisory describes a critical vulnerability in PowerLogic power meters. The flaw can be exploited for DoS attacks or remote code execution.

Another advisory describes eight security holes found in the IGSS SCADA product. Various modules of IGSS are affected by DoS and remote code execution issues that have been assigned ‘high’ and ‘medium’ severity ratings. 

The last advisory informs users about a session hijacking issue affecting the EcoStruxure Power Monitoring Expert product.

Siemens and Schneider on Tuesday also updated dozens of previous advisories to inform customers about the availability of patches, new CVEs, changes in affected product lists, and other information.

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Related: ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Related: 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights