Major industrial control systems (ICS) providers on Tuesday released security advisories to warn customers of vulnerabilities found and addressed in their products.
Siemens published 17 new security advisories describing over 50 vulnerabilities and released patches and mitigations for the flaws. Additionally, the company updated 21 previously released advisories with additional information.
The most severe of these security defects is a critical bug in SINEMA remote connect server that could allow an authenticated attacker to escalate their privileges on the underlying operating system.
On Tuesday, the ICS provider also published an advisory on CVE-2024-3596, the BlastRADIUS vulnerability discovered in the RADIUS protocol that could allow attackers to bypass multi-factor authentication (MFA) protections.
The company has released patches for some of these products and plans updates for several product families, and recommends restricting access to the networks where RADIUS messages are exchanged and configuring “the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it.”
Schneider Electric released four new advisories describing six vulnerabilities impacting its Wiser Home Controller WHC-5918A, EcoStruxure Foxboro DCS, EcoStruxure Foxboro SCADA FoxRTU Station, and Modicon controller products.
The most important of these issues is a critical-severity vulnerability in Wiser Home Controller WHC-5918A, a C-Bus based home automation controller discontinued nine years ago.
“Customers should consider upgrading to the latest product offering, C-Bus, Home Controller, SpaceLogic IP, Free Standing, 24V DC, 5200WHC2, or removing the Wiser Home Controller WHC-5918A from service,” the industrial giant warns.
The company has released patches for high-severity flaws in EcoStruxure Foxboro DCS and EcoStruxure Foxboro SCADA FoxRTU Station products, but has yet to establish a remediation plan for the medium-severity bug in Modicon controllers.
German maker of industrial controllers Ifm Electronic GmbH on Tuesday released patches for five vulnerabilities in the Smart PLC firmware, including two critical-severity issues that could allow attackers to access vulnerable devices with high privileges or inject OS commands to enable telnet access that accepts hardcoded credentials.
The US cybersecurity agency CISA on Tuesday published seven ICS advisories describing vulnerabilities in Delta Electronics, Mitsubishi Electric, Johnson Controls, and PTC products.
A high-severity code execution bug in Mitsubishi Electric MELIPC series MI5122-VW devices could allow an attacker to tamper with information or cause a denial-of-service (DoS) condition. Upgrading to firmware version 08 resolves the issue.
Mitsubishi Electric also updated an advisory for a critical-severity code execution flaw (CVE-2023-4088) initially disclosed in September 2023 to expand the list of affected products.
High-severity improper validation of user-supplied input in Delta Electronics CNCSoft-G2 could allow attackers to execute code in the context of the current process. CNCSoft-G2 version 2.1.0.10 or later addresses these issues.
CISA also warned of high-severity vulnerabilities in Johnson Controls C●CURE 9000 that could allow attackers to access credentials or gain administrative access to a vulnerable device, and of a critical flaw in PTC Creo Elements/Direct License Server that could lead to remote code execution.
Learn More About Industrial Cybersecurity at SecurityWeek’s ICS Cybersecurity Conference in October!
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA
Related: ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric
Related:Academics Devise Cyber Intrusion Detection System for Unmanned Robots
