ICS/OTICS Patch Tuesday: Siemens and Schneider Electric Releases Patch for 50 vulnerabilities

Siemens and Schneider Electric published nine new security warnings that together addressed 50 vulnerabilities impacting its industrial devices.

Recently, Schneider Electric and Siemens Energy indicated that they were the targets of the Cl0p ransomware group’s attack that took use of a MOVEit zero-day vulnerability.

Siemens Patches

To alert consumers to the existence of fixes for more than 40 vulnerabilities, Siemens has published five new advisories.

Siemens fixed a ‘high-severity’ defect that might allow an attacker to get around network isolation as well as a ‘critical’ flaw that could be used to acquire admin access and take full control of a device in its Simatic CN 4100 communication system.

The company patched 21 vulnerabilities in Ruggedcom ROX products, including ones that could be used to steal data, run arbitrary commands or code, create a DoS scenario, or carry out arbitrary activities via CSRF attacks.

The bulk of these security flaws has ‘critical’ or ‘high’ severity rankings and some of them affect third-party components.

In Simatic MV500 optical readers, including in its web server and third-party components, over a dozen vulnerabilities, including ‘critical’ and ‘high-severity; issues, have been fixed. Information disclosure or DoS might result from exploitation.

Patches for six ‘high-severity’ problems with the Tecnomatix Plant Simulation software have also been patched.

By convincing the intended user to open specially crafted files, they provide an attacker the ability to crash the application or maybe execute arbitrary code.

Additionally, Siemens fixed a serious DoS problem affecting the SiPass access control system.

Schneider Electric Patches

There are four new advisories from Schneider Electric. They address six weaknesses in the company’s products as well as over a dozen problems impacting a third-party component, the Codesys runtime system V3 communication server.

Reports say the PacDrive and Modicon controllers, Harmony HMIs, and the SoftSPS simulation runtime integrated with EcoStruxure Machine Expert are all affected by the Codesys weaknesses. Exploiting the security flaws may result in remote code execution and DoS.

Schneider fixed two high-severity and two medium-severity flaws that might have allowed for unauthorized access or remote code execution in the StruxureWare Data Centre Expert (DCE) monitoring software.

Further, a ‘medium-severity’ information disclosure weakness has been patched in the EcoStruxure OPC UA Server Expert product, while a high-severity vulnerability has been addressed in the Accutech Manager sensor application.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.