Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024

Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities. 

IT/OT Podcast

On the first Patch Tuesday of 2024, industrial giants Siemens and Schneider Electric have released a total of only seven new security advisories, announcing fixes for 22 vulnerabilities. 

Siemens has published six new advisories covering 21 vulnerabilities. The most serious, based on its CVSS score of 10, is a vulnerability in Simatic IPCs, specifically the Redfish server component of MaxView Storage Manager. Microchip has released a patch for its MaxView product and users have been advised to install it.

Siemens has also informed customers about critical and high-severity Simatic CN 4100 vulnerabilities that can be exploited to remotely take control of a device. 

The company also patched a dozen vulnerabilities in Solid Edge 2023. These appear to be related to variations of an attack method involving PAR files — attackers could execute arbitrary code by getting the victim to open specially crafted files. 

Security holes related to the processing of specially crafted files — this time CGM files — were also addressed in the Teamcenter Visualization and JT2Go products.

In addition, Siemens has patched a vulnerability in Spectrum Power 7 that could allow arbitrary code injection and root access to the system, but exploitation requires local access with admin privileges. 

A medium-severity issue in Sicam A8000 devices has been patched to prevent authenticated attackers from injecting commands that would get executed on the device with root privileges during startup.

Schneider Electric has only published one new advisory, to inform customers about a high-severity Easergy Studio vulnerability that could “allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object”.

Advertisement. Scroll to continue reading.

Related: ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric

Related: ICS Patch Tuesday: Electromagnetic Fault Injection, Critical Redis Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...