ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities

Industrial giants Siemens and Schneider Electric have addressed less than a dozen vulnerabilities in their August 2022 Patch Tuesday advisories, far fewer than in most of the previous months.

It’s not uncommon for these companies to address 50 vulnerabilities on a Patch Tuesday, and in some cases their advisories even covered 100 vulnerabilities. This week, however, they only published four advisories each, to inform customers about a total of just 11 vulnerabilities.

Major companies that typically patch a significant number of vulnerabilities each month do occasionally only address a small number of flaws, so it’s too soon to conclude that the products of these vendors have become more secure or that they don’t get as much attention from security researchers.

Siemens

Siemens’ four advisories describe seven security holes. The company informed customers that some of its SCALANCE switches, routers, security appliances and wireless communication devices are affected by three vulnerabilities.

One of the flaws, rated ‘critical’, can allow an authenticated attacker with admin privileges to inject code or spawn a root shell. A high-severity flaw allows an unauthenticated attacker to remotely cause a DoS condition, and a medium-severity issue can be exploited for XSS attacks by an attacker with admin privileges.

A fix is currently only available for SCALANCE SC-600 security appliances and some of the impacted products will not get patches.

In the Teamcenter software, Siemens patched two high-severity flaws that can lead to remote code execution or a DoS condition.

Learn more about vulnerabilities in industrial systems at

SecurityWeek’s ICS Cyber Security Conference

The company has informed customers about one medium-severity information disclosure vulnerability in Simcenter STAR-CCM+ and one medium-severity authentication bypass issue affecting the SICAM A8000 web server module. The Simcenter flaw has yet to be fixed and Siemens does not plan on patching the SICAM vulnerability.

Schneider Electric

Schneider Electric’s four advisories describe one vulnerability each. Based on CVSS score — which can be misleading in the case of ICS products — the most important advisory describes a critical issue in EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M580 and M340 products. The security hole is related to a weak password recovery mechanism and it can allow an attacker to gain unauthorized access to a device.

In Modicon PLC and PAC products, Schneider fixed a high-severity vulnerability that can lead to a DoS condition, as well as a high-severity flaw that can lead to the exposure of sensitive information, such as password hashes and project data.

A DoS vulnerability that can be exploited using specially crafted project files has been fixed in the EcoStruxure Control Expert product.

Schneider Electric has released patches and mitigations for each of the vulnerabilities.

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 80 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities