Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS Patch Tuesday: Siemens, Schneider Electric Release 19 New Security Advisories

Industrial giants Siemens and Schneider Electric have released a total of 19 security advisories for the October 2022 Patch Tuesday. The advisories cover 36 vulnerabilities affecting their ICS products.

Siemens

Industrial giants Siemens and Schneider Electric have released a total of 19 security advisories for the October 2022 Patch Tuesday. The advisories cover 36 vulnerabilities affecting their ICS products.

Siemens

Siemens has released 15 advisories that cover two dozen security holes. The most important of them appears to be CVE-2022-38465, which is related to a global cryptographic key not being properly protected.

A threat actor could launch an offline attack against a single Siemens PLC and obtain a private key that can then be used to compromise that entire product line.

The attacker can then obtain sensitive configuration data or launch man-in-the-middle (MitM) attacks that enable them to read or modify data between the PLC and its connected HMIs and engineering workstations.

Siemens has made significant changes to how PLCs are protected and it has released updates that customers have been instructed to apply. The company has also released a separate security bulletin detailing the vulnerability and its root cause. Industrial cybersecurity firm Claroty, whose researchers discovered the flaw, has published a blog post detailing its findings.

“Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing,” Siemens warned.

Siemens has also informed customers about a critical authentication-related vulnerability affecting Desigo CC and Cerberus DMS, allowing attackers to impersonate other users or exploit the client-server protocol without being authenticated. Patches are not available, but the vendor has recommended some mitigations.

Advertisement. Scroll to continue reading.

Fixes are also not available for critical and high-severity remote code execution and DoS vulnerabilities affecting Logo! 8 BM devices.

2022 ICS Cyber Security Conference

A ‘critical’ severity rating has also been assigned to a vulnerability in Sicam P850 and P855 devices. It allows an authenticated attacker to execute arbitrary code or cause a DoS condition.

A majority of the remaining advisories describe high-severity flaws. This includes webserver vulnerabilities in Desigo PXM devices, privilege escalation and DoS issues in Scalance and Ruggedcom products, DoS flaws in products based on the Nucleus RTOS, a DoS vulnerability in Simatic HMI panels, a spoofing vulnerability in Industrial Edge Management, an XSS flaw in Scalance switches, and file parsing vulnerabilities in Solid Edge, JTTK and Simcenter Femap.

Schneider Electric

Schneider Electric has released four new advisories covering a dozen vulnerabilities.

Six high-severity flaws that could lead to arbitrary code execution have been identified in EcoStruxure Operator Terminal Expert and Pro-face BLUE products. However, exploitation of these vulnerabilities requires local user privileges and involves loading malicious files.

Schneider’s EcoStruxure Power Operation and Power SCADA Operation software is affected by a vulnerability that could allow an attacker to view data, change settings or cause disruption by getting a user to click on a specially crafted link.

EcoStruxure Panel Server Box is affected by high- and medium-severity issues that can be exploited for arbitrary writes — this could lead to code execution — and DoS attacks.

Lastly, the third party ISaGRAF Workbench software used by SAGE RTU products is affected by three medium-severity bugs that could result in arbitrary code execution or privilege escalation. User interaction is required for exploitation.

Patches and/or mitigations are available for these vulnerabilities.

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 80 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix High-Severity Vulnerabilities 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.