Industrial giants Siemens and Schneider Electric have released a total of 19 security advisories for the October 2022 Patch Tuesday. The advisories cover 36 vulnerabilities affecting their ICS products.
Siemens has released 15 advisories that cover two dozen security holes. The most important of them appears to be CVE-2022-38465, which is related to a global cryptographic key not being properly protected.
A threat actor could launch an offline attack against a single Siemens PLC and obtain a private key that can then be used to compromise that entire product line.
The attacker can then obtain sensitive configuration data or launch man-in-the-middle (MitM) attacks that enable them to read or modify data between the PLC and its connected HMIs and engineering workstations.
Siemens has made significant changes to how PLCs are protected and it has released updates that customers have been instructed to apply. The company has also released a separate security bulletin detailing the vulnerability and its root cause. Industrial cybersecurity firm Claroty, whose researchers discovered the flaw, has published a blog post detailing its findings.
“Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing,” Siemens warned.
Siemens has also informed customers about a critical authentication-related vulnerability affecting Desigo CC and Cerberus DMS, allowing attackers to impersonate other users or exploit the client-server protocol without being authenticated. Patches are not available, but the vendor has recommended some mitigations.
Fixes are also not available for critical and high-severity remote code execution and DoS vulnerabilities affecting Logo! 8 BM devices.
A ‘critical’ severity rating has also been assigned to a vulnerability in Sicam P850 and P855 devices. It allows an authenticated attacker to execute arbitrary code or cause a DoS condition.
A majority of the remaining advisories describe high-severity flaws. This includes webserver vulnerabilities in Desigo PXM devices, privilege escalation and DoS issues in Scalance and Ruggedcom products, DoS flaws in products based on the Nucleus RTOS, a DoS vulnerability in Simatic HMI panels, a spoofing vulnerability in Industrial Edge Management, an XSS flaw in Scalance switches, and file parsing vulnerabilities in Solid Edge, JTTK and Simcenter Femap.
Schneider Electric has released four new advisories covering a dozen vulnerabilities.
Six high-severity flaws that could lead to arbitrary code execution have been identified in EcoStruxure Operator Terminal Expert and Pro-face BLUE products. However, exploitation of these vulnerabilities requires local user privileges and involves loading malicious files.
Schneider’s EcoStruxure Power Operation and Power SCADA Operation software is affected by a vulnerability that could allow an attacker to view data, change settings or cause disruption by getting a user to click on a specially crafted link.
EcoStruxure Panel Server Box is affected by high- and medium-severity issues that can be exploited for arbitrary writes — this could lead to code execution — and DoS attacks.
Lastly, the third party ISaGRAF Workbench software used by SAGE RTU products is affected by three medium-severity bugs that could result in arbitrary code execution or privilege escalation. User interaction is required for exploitation.
Patches and/or mitigations are available for these vulnerabilities.