Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Release 19 New Security Advisories

Industrial giants Siemens and Schneider Electric have released a total of 19 security advisories for the October 2022 Patch Tuesday. The advisories cover 36 vulnerabilities affecting their ICS products.

Siemens

Industrial giants Siemens and Schneider Electric have released a total of 19 security advisories for the October 2022 Patch Tuesday. The advisories cover 36 vulnerabilities affecting their ICS products.

Siemens

Siemens has released 15 advisories that cover two dozen security holes. The most important of them appears to be CVE-2022-38465, which is related to a global cryptographic key not being properly protected.

A threat actor could launch an offline attack against a single Siemens PLC and obtain a private key that can then be used to compromise that entire product line.

The attacker can then obtain sensitive configuration data or launch man-in-the-middle (MitM) attacks that enable them to read or modify data between the PLC and its connected HMIs and engineering workstations.

Siemens has made significant changes to how PLCs are protected and it has released updates that customers have been instructed to apply. The company has also released a separate security bulletin detailing the vulnerability and its root cause. Industrial cybersecurity firm Claroty, whose researchers discovered the flaw, has published a blog post detailing its findings.

“Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing,” Siemens warned.

Siemens has also informed customers about a critical authentication-related vulnerability affecting Desigo CC and Cerberus DMS, allowing attackers to impersonate other users or exploit the client-server protocol without being authenticated. Patches are not available, but the vendor has recommended some mitigations.

Advertisement. Scroll to continue reading.

Fixes are also not available for critical and high-severity remote code execution and DoS vulnerabilities affecting Logo! 8 BM devices.

2022 ICS Cyber Security Conference

A ‘critical’ severity rating has also been assigned to a vulnerability in Sicam P850 and P855 devices. It allows an authenticated attacker to execute arbitrary code or cause a DoS condition.

A majority of the remaining advisories describe high-severity flaws. This includes webserver vulnerabilities in Desigo PXM devices, privilege escalation and DoS issues in Scalance and Ruggedcom products, DoS flaws in products based on the Nucleus RTOS, a DoS vulnerability in Simatic HMI panels, a spoofing vulnerability in Industrial Edge Management, an XSS flaw in Scalance switches, and file parsing vulnerabilities in Solid Edge, JTTK and Simcenter Femap.

Schneider Electric

Schneider Electric has released four new advisories covering a dozen vulnerabilities.

Six high-severity flaws that could lead to arbitrary code execution have been identified in EcoStruxure Operator Terminal Expert and Pro-face BLUE products. However, exploitation of these vulnerabilities requires local user privileges and involves loading malicious files.

Schneider’s EcoStruxure Power Operation and Power SCADA Operation software is affected by a vulnerability that could allow an attacker to view data, change settings or cause disruption by getting a user to click on a specially crafted link.

EcoStruxure Panel Server Box is affected by high- and medium-severity issues that can be exploited for arbitrary writes — this could lead to code execution — and DoS attacks.

Lastly, the third party ISaGRAF Workbench software used by SAGE RTU products is affected by three medium-severity bugs that could result in arbitrary code execution or privilege escalation. User interaction is required for exploitation.

Patches and/or mitigations are available for these vulnerabilities.

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 80 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix High-Severity Vulnerabilities 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.