ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities
Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.
Siemens
Siemens has published six new advisories describing 26 vulnerabilities. The company has informed customers about two critical flaws in Siveillance Video products that can be exploited for authenticated remote code execution.
The Scalance local processing engine (LPE) is affected by one critical and four low-severity issues. The flaws can be exploited to access the underlying operating system with elevated privileges, access data, and cause a DoS condition.
Several critical and high-severity vulnerabilities have been patched in third-party components used by the Sinec network management system.
Issues related to command injection, hardcoded credentials, path traversal, information access, and DoS have been addressed in the Simatic Cloud Connect 7 IoT gateway.
Siemens has patched several vulnerabilities that can be exploited using specially crafted files for code execution, information disclosure and DoS attacks in Solid Edge tools.
The company has also notified customers about a Wi-Fi client isolation bypass attack that allows an attacker to intercept traffic at the MAC layer. The issue affects Scalance devices, but a fix has yet to be released.
For all other vulnerabilities, Siemens has released patches.
Schneider Electric
Schneider Electric has published four new advisories that describe half a dozen vulnerabilities.
One advisory covers a high-severity vulnerability affecting PowerLogic power meters. The flaw allows an attacker who can intercept network traffic to obtain sensitive information, modify data, or cause a DoS condition.
Another advisory informs customers about an OPC Factory Server vulnerability that can be exploited to obtain sensitive information.
Two of the Schneider advisories inform customers about vulnerabilities affecting Aveva products — Schneider acquired Aveva earlier this year. Aveva published its own advisories for the vulnerabilities, which include critical and high-severity issues, in March.
[ Read: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms ]
The French industrial giant also notified customers recently that it’s aware of the public availability of a PoC exploit targeting KNX home and building automation systems.
The PoC exploit that Schneider is warning about, published in March, impacts the company’s spaceLYnk, Wiser for KNX, and FellerLYnk products. The exploit targets two known vulnerabilities: one addressed by the vendor in February 2022 (CVE-2022-22809) and one addressed in August 2020 (CVE-2020-7525).
Schneider issued a warning over KNX attacks back in 2021 and now says “this new exploit brings further attention to the recommended mitigations in that security bulletin”.
Related: Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid
Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities
Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-few-dozen-vulnerabilities/