ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric

Post Views: 116

Industrial Control System Manufacturers Release Patch Tuesday Advisories

Several major industrial control system (ICS) manufacturers have released Patch Tuesday advisories to address vulnerabilities in their products. Siemens, Schneider Electric, Mitsubishi Electric, and Moxa have all published new advisories to inform customers about recently discovered security issues.

Main Vulnerabilities Addressed

Schneider Electric has released six new advisories, each addressing a single vulnerability. The company has warned customers about high-severity issues in several products, including EcoStruxure IT Data Center Expert, which contains hardcoded credentials, and EcoStruxure Power Monitoring Expert and Power Operation, which are vulnerable to local arbitrary code execution. Schneider Electric has also patched medium-severity flaws in Modicon controllers, which could allow for denial-of-service (DoS) attacks and account takeover via cross-site scripting (XSS), as well as in EcoStruxure Foxboro DCS, which is vulnerable to remote code execution.

Siemens Vulnerabilities

Siemens has addressed a critical stored cross-site scripting (XSS) vulnerability in its Simatic S7-1500 devices and a potentially severe misconfiguration in Mendix applications. The company has also informed customers about vulnerabilities introduced by the use of third-party components, including Fortinet and OpenSSL. Siemens has patched high- and medium-severity issues in the Sicam Siapp SDK and a low-severity vulnerability in Heliox EV chargers.

Mitsubishi Electric Vulnerabilities

Mitsubishi Electric has published a single advisory to describe a remotely exploitable DoS vulnerability in its Numerical Control Systems, including C80, M800, M800V, and M700V series products. This vulnerability is in addition to multiple remotely exploitable DoS flaws in MELSEC iQ-F Series controllers, which the company disclosed earlier this month.

Moxa Vulnerabilities

Moxa has released four new advisories, including three that describe the impact of vulnerabilities discovered in Intel products. The fourth advisory informs customers that Moxa products are not affected by a recent GNU Inetutils vulnerability.

CISA and VDE-CERT Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) has also published ICS advisories this Patch Tuesday, warning about vulnerabilities in Ceragon Siklu MultiHaul and EtherHaul, Lantronix EDS3000PS and EDS5000, and Apeman cameras. CISA has also published an advisory for a recently disclosed Honeywell building controller vulnerability, which the vendor and the researcher who discovered the flaw have disagreed about its impact.

Germany’s VDE-CERT has published advisories for vulnerabilities in Codesys, Janitza, and Weidmueller products. Some of these vulnerabilities can be exploited by remote, unauthenticated attackers to fully compromise the targeted system.