Connect with us

Hi, what are you looking for?



Siemens Warns of Security Risks Associated With Use of ActiveX

Siemens this week addressed several vulnerabilities and warned customers about the security risks associated with the use of ActiveX in industrial products.

Siemens this week addressed several vulnerabilities and warned customers about the security risks associated with the use of ActiveX in industrial products.

Microsoft’s ActiveX controls make it possible for websites to provide certain types of content, such as videos and games, and they allow users to interact with certain types of elements in the browser, such as toolbars. However, ActiveX has been known to pose serious security risks and it’s currently only supported by Microsoft on Internet Explorer — ActiveX is not supported by other browsers such as Chrome, Safari or Firefox.

Even Microsoft has advised Internet Explorer 11 users not to disable security settings that prevent the downloading and execution of ActiveX controls, unless absolutely necessary. Malicious hackers can abuse ActiveX to collect information about a user, install malware, or take control of a device.

Some of Siemens’ industrial products — the list includes SIMATIC WinCC, SIMATIC STEP 7, SIMATIC PCS 7, TIA Portal, and S7-PLCSIM Advanced — rely on ActiveX components and customers need to use Internet Explorer to execute these components.

However, the German industrial giant has warned that using Internet Explorer to access untrusted websites can pose serious security risks. Siemens recommends using a web browser that does not support ActiveX if accessing web pages other than the ones associated with the company’s products.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2020 ICS Cyber Security Conference

Siemens also informed customers this week that it has patched a high-severity authentication bypass vulnerability in its SCALANCE X industrial switches. According to the company, an unauthenticated attacker with network access to the targeted switch can hack the device by sending a specially crafted GET request to a specific URI on the web-based configuration interface.

Advertisement. Scroll to continue reading.

Researcher Maxim Rupp, who reported the vulnerability to Siemens, told SecurityWeek that an attacker could exploit this weakness to obtain sensitive internal information, access the device’s configuration interface, and change its settings. Rupp said he reported the flaw to Siemens in early 2019.

The vulnerability has been patched in SCALANCE X-300 and X408 switches, and the vendor has provided mitigations for other affected devices.

Siemens also patched a critical vulnerability in SINEMA Server that can allow an authenticated user with low privileges to perform firmware updates and other operations on a device.

The advisories published this week by Siemens also address a high-severity local privilege escalation vulnerability in TIA Portal, which can allow an attacker to execute code with SYSTEM privileges, and a medium-severity access control issue in SINAMICS PERFECT HARMONY.

Related: Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs

Related: Hackers Can Exploit Siemens Control System Flaws in Attacks on Power Plants

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...