Security Experts:

Connect with us

Hi, what are you looking for?



Siemens Patches 21 More File Parsing Vulnerabilities in PLM Products

Siemens this week released nine new security advisories describing vulnerabilities affecting the company’s products.

Siemens this week released nine new security advisories describing vulnerabilities affecting the company’s products.

The biggest advisory covers 21 security holes affecting JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format), and Teamcenter Visualization, which provides organizations visualization solutions for documents, 2D drawings and 3D models. These products are made by Siemens Digital Industries Software, which specializes in product lifecycle management (PLM) solutions.

All of these vulnerabilities are related to how certain types of files are parsed by these products. An attacker can exploit them for arbitrary code execution, data extraction and DoS attacks if they can trick the targeted user into opening a malicious file. Many of the issues affect the Siemens products due to their use of the Open Design Alliance (ODA) Drawings SDK. The ODA has published its own advisory for the flaws. 

Last month, Siemens informed customers about 18 similar file parsing vulnerabilities in JT2Go and Teamcenter Visualization.

Will Dormann from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University informed Siemens about a serious privilege escalation issue affecting the Totally Integrated Administrator (TIA) portal. An advisory for this vulnerability has also been published on the CERT/CC website.

A high-severity privilege escalation vulnerability was also discovered in DIGSI 4, the operation and configuration software for SIPROTEC 4 and SIPROTEC Compact protection devices.

The German industrial giant also informed customers about a high-severity “Zip-Slip” vulnerability affecting SINEC and SINEMA network management products. The flaw allows an authenticated attacker to upload files or modify existing ones and possibly achieve arbitrary code execution.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Customers were also informed about six medium- and high-severity DoS issues affecting RUGGEDCOM products. The flaws are related to IPsec and they impact the Network Security Services (NSS) and Libreswan components.

Siemens also issued an advisory for CVE-2020-28388, one of the nine TCP/IP stack vulnerabilities disclosed this week by cybersecurity firm Forescout. The flaws, tracked collectively as NUMBER:JACK, allow attackers to hijack or spoof TCP connections.

Patches from Schneider Electric

Schneider Electric only released one new advisory this Patch Tuesday to inform customers about the existence of three vulnerabilities affecting some of its PowerLogic power metering products.

Two of the vulnerabilities, rated high severity, can allow a man-in-the-middle attacker to obtain credentials when intercepting Telnet and HTTP traffic between a user and a device. The third issue is a medium-severity CSRF bug that can be exploited to perform actions on behalf of a legitimate user.

The company has started releasing firmware updates for the impacted products.

Related: Siemens Releases Patches to Prevent Remote Takeover of SIMATIC HMI Panels

Related: Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.