Industrial control system (ICS) security advisories were published on Tuesday by Siemens, Schneider Electric, Rockwell Automation, Aveva, and the US cybersecurity agency CISA.
Siemens has published nine new advisories covering roughly 50 vulnerabilities. Nearly 30 flaws, including ones rated ‘critical severity’ and ‘high severity’ were found in the SINEC Network Management System (NMS) product.
A majority of the flaws impact third-party components, and the list includes CVE-2023-44487, the vulnerability exploited in the wild for record-breaking HTTP/2 Rapid Reset DDoS attacks.
High-severity vulnerabilities that can lead to remote code execution, denial of service (DoS), or information disclosure have been patched by Siemens in Intralog WMS, Teamcenter Visualization, JT2Go, NX, Scalance M-800, Sinec Traffic Analyzer, and Comos products.
Siemens patched medium-severity password protection-related issues in Location Intelligence and Logo.
Schneider Electric has published two new advisories. One of them informs customers about an EcoStruxure Machine SCADA Expert and Blue Open Studio vulnerability introduced by the use of an Aveva component. Aveva addressed the issue, which can be exploited for privilege escalation, in January 2024.
Schneider’s second advisory describes a high-severity DoS vulnerability affecting the Accutech Manager software, which is designed for configuring and monitoring Accutech Wireless sensors. The flaw can be exploited without authentication.
Industrial software maker Aveva has published three new advisories — all with a severity rating of ‘high’.
They address a DoS vulnerability in SuiteLink Server, code execution and file manipulation in Aveva Reports for Operations, and an SQL injection bug in Historian Server.
Rockwell Automation has published nine new advisories, which cover 10 vulnerabilities impacting the company’s products. The security holes have been assigned ‘medium’ and ‘high’ severity ratings.
The list includes arbitrary code execution flaws in AADvance and FactoryTalk products, and DoS flaws in CompactLogix, GuardLogix, ControlLogix and Micro controllers. Rockwell has also patched an authentication bypass bug in DataMosaix, a DLL hijacking vulnerability in Emulate3D, and an unencrypted data issue in Pavilion8.
CISA has published 10 ICS advisories, a majority covering the Rockwell Automation product vulnerabilities disclosed on Tuesday by the vendor. Two advisories cover the Aveva SuiteLink Server bug and vulnerabilities in Ocean Data Systems Dream Report.
Related: ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA
Related: ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric
