Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Siemens, Schneider Electric Inform Customers About Tens of Vulnerabilities

Industrial automation giants Siemens and Schneider Electric on Tuesday released several security advisories to inform customers about tens of vulnerabilities affecting their products. The companies have provided patches and recommendations for reducing the risk of exploitation.

Industrial automation giants Siemens and Schneider Electric on Tuesday released several security advisories to inform customers about tens of vulnerabilities affecting their products. The companies have provided patches and recommendations for reducing the risk of exploitation.

Siemens

The eight new advisories released by Siemens on this Patch Tuesday cover roughly two dozen vulnerabilities affecting its Simcenter Femap, SIMATIC TIM, Solid Edge, SIMATIC NET, Mendix, JT2Go, Teamcenter Visualization, and SIMATIC RF products.

The only advisory with an overall severity rating of critical describes 15 vulnerabilities affecting the SIMATIC NET CP 443-1 OPC UA, specifically its NTP (Network Time Protocol) component. The flaws were discovered in NTP between 2015 and 2017, but it’s not uncommon for industrial solutions providers to patch third-party software components years after the fixes were made available.

These NTP vulnerabilities can be exploited for DoS attacks, bypassing security mechanisms, executing arbitrary code remotely, obtaining information, and manipulating time.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

The remaining advisories released by Siemens have an overall severity rating of high. They describe security holes that can be exploited for DoS attacks, arbitrary code execution, data extraction, privilege escalation, and bypassing security mechanisms.

Schneider Electric

Advertisement. Scroll to continue reading.

Schneider Electric also described roughly two dozen vulnerabilities in the new advisories published on Tuesday.

One advisory describes 13 flaws affecting the company’s Interactive Graphical SCADA System (IGSS) SCADA product. The security holes have been rated high severity and their exploitation can result in loss of data or remote code execution. An attacker could exploit the vulnerabilities by getting the targeted user to open malicious files.

Two advisories describe a dozen vulnerabilities affecting two of Schneider’s PowerLogic products. The flaws, the most serious of which allows an attacker to gain admin-level access to a device, were reported to Schneider by a researcher from industrial cybersecurity firm Dragos.

Another advisory informs organizations about some vulnerabilities in IEC 61131-3 programming and engineering tools. The bugs are introduced by the use of Rockwell Automation’s ISaGRAF automation software, which is used by other vendors as well.

The remaining advisories describe information disclosure issues in the Enerlin’X Com’X 510 and Modicon X80 BMXNOR0200H RTU products.

Related: Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

Related: Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.