Industrial giants Siemens, Schneider Electric, Rockwell Automation, and Aveva have released Patch Tuesday advisories informing customers about vulnerabilities in their ICS/OT products.
Siemens published six new advisories. One of them covers two vulnerabilities in the Comos plant engineering software, including a critical code execution flaw, and a high-severity security bypass issue.
Vulnerabilities have also been addressed in Siemens Solid Edge (remote MitM, code execution), Altair Grid Engine (code execution), Logo! 8 BM (code execution, DoS, settings tampering), and Sicam P850 (CSRF) products.
Rockwell Automation published five new advisories on November 11, each covering high-severity vulnerabilities found in various products.
The company informed customers of its Verve Asset Manager OT security platform that the product is affected by a high-severity access control issue that allows unauthorized read-only users to tamper with other user accounts via an API.
In the Studio 5000 integrated design environment for Logix 5000 controllers, Rockwell fixed an SSRF flaw exposing NTLM hashes, as well as a local code execution bug.
MFA bypass and persistent XSS vulnerabilities have been patched in FactoryTalk DataMosaix Private Cloud. In addition, flaws introduced by the use of third-party components have been fixed in SIS Workstation (code execution) and FactoryTalk Policy Manager (DoS).
Aveva published two new advisories on Tuesday. One of them describes a high-severity persistent XSS flaw that can be exploited for privilege escalation.
The second advisory covers an Aveva Edge vulnerability that allows an attacker with read access to project and cache files to obtain user passwords by brute-forcing weak hashes.
This vulnerability also impacts Schneider Electric’s EcoStruxure Machine SCADA Expert & Pro-face BLUE Open Studio products. Schneider published two new advisories this Patch Tuesday and one of them covers the impact of this flaw.
Schneider’s second advisory describes high-severity path traversal, authentication brute-forcing, and privilege escalation issues in the PowerChute Serial Shutdown UPS management software.
Moxa, ABB, Honeywell, and Mitsubishi Electric did not publish any advisories on Patch Tuesday, but they all informed customers about fixed vulnerabilities in the preceding days. Germany’s VDE@CERT also published two advisories in recent days.
Related: ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
Related: ICS Patch Tuesday: Rockwell Automation Leads With 8 Security Advisories
