On the first Patch Tuesday of 2024, industrial giants Siemens and Schneider Electric have released a total of only seven new security advisories, announcing fixes for 22 vulnerabilities.
Siemens has published six new advisories covering 21 vulnerabilities. The most serious, based on its CVSS score of 10, is a vulnerability in Simatic IPCs, specifically the Redfish server component of MaxView Storage Manager. Microchip has released a patch for its MaxView product and users have been advised to install it.
Siemens has also informed customers about critical and high-severity Simatic CN 4100 vulnerabilities that can be exploited to remotely take control of a device.
The company also patched a dozen vulnerabilities in Solid Edge 2023. These appear to be related to variations of an attack method involving PAR files — attackers could execute arbitrary code by getting the victim to open specially crafted files.
Security holes related to the processing of specially crafted files — this time CGM files — were also addressed in the Teamcenter Visualization and JT2Go products.
In addition, Siemens has patched a vulnerability in Spectrum Power 7 that could allow arbitrary code injection and root access to the system, but exploitation requires local access with admin privileges.
A medium-severity issue in Sicam A8000 devices has been patched to prevent authenticated attackers from injecting commands that would get executed on the device with root privileges during startup.
Schneider Electric has only published one new advisory, to inform customers about a high-severity Easergy Studio vulnerability that could “allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object”.
Related: ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
Related: ICS Patch Tuesday: Electromagnetic Fault Injection, Critical Redis Vulnerability