Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.
Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.
Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.
The company informed customers recently that it has started releasing BIOS updates for some of its impacted products, including SIMATIC industrial PCs, SIMATIC field PG rugged laptops, SIMATIC industrial tablet PCs (ITP), and SINUMERIK panel control units (PCU). In addition to firmware patches, users have been advised to install operating system updates, which should mitigate the Meltdown flaw and one variant of Spectre.
Learn More at SecurityWeek’s ICS Cyber Security Conference
The BIOS updates released by the company for the aforementioned SIMATIC and SINUMERIK devices also patch several vulnerabilities discovered last year by researchers in Intel’s Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) technologies.
The flaws impacting these Intel products can be exploited – in most cases locally, but at least one bug is remotely exploitable – for arbitrary code execution, privilege escalation, and denial-of-service (DoS) attacks.
The firmware updates from Siemens also fix a vulnerability affecting the Trusted Platform Module (TPM) in chips made by German semiconductor manufacturer Infineon.
The flaw, CVE-2017-15361, is related to the RSA library in TPM and it could allow a remote attacker who knows the public key to obtain the private RSA key. The security hole affects the products of several major tech firms, including Microsoft, Google, HP, Lenovo and Fujitsu.
Siemens has published separate advisories to inform users about the availability of patches for Meltdown/Spectre, Intel ME, and Infineon TPM vulnerabilities. ICS-CERT has so far published an advisory only for the Infineon issue.
Related: Serious Flaw Found in Many Siemens Industrial Products
Related: Risks to ICS Environments From Spectre and Meltdown Attacks
Related: Experts Find Faster Way to Exploit Infineon Chip Crypto Flaw
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
