Industrial control system (ICS) security advisories were published on Tuesday by Siemens, Schneider Electric, Phoenix Contact and CERT@VDE.
Siemens has published 13 new advisories. This is not uncommon for the company, but it does not show that its products are more vulnerable than the ones of other vendors. Instead, it should be viewed as proof of the industrial giant’s significant investment in the security of its products.
The company has addressed critical-severity vulnerabilities in Sinec Security Monitor (code execution), Sentron PAC3200 (admin access), WibuKey (third-party dongle flaws), HiMed Cockpit (kiosk mode escape), and Sentron Powercenter 1000 (DoS).
Siemens has also addressed high-severity arbitrary code execution vulnerabilities in Teamcenter Visualization, JT2Go, Simcenter Nastran, and Tecnomatix Plant Simulation.
Medium-severity issues have been resolved in Ruggedcom APE1808LNX, Questa and ModelSim, and Simatic S7-1500 and S7-1200 products.
Schneider Electric has published eight new advisories, a significant number compared to most months. One of them describes a critical vulnerability in Harmony and Pro-face PS5000 legacy industrial PCs that can allow an attacker to obtain sensitive information.
The industrial giant has also informed customers about critical and high-severity vulnerabilities in the Yocto OS, which is used in Harmony iPC – HMIBSC IIoT Edge Box Core. However, the OS cannot be updated due to hardware limitations. The same operating system is also used in the EcoStruxure EV Charging Expert product.
Schneider has also informed customers about patches for high-severity vulnerabilities in Easergy Studio (privilege escalation), Data Center Expert (information disclosure), EcoStruxure Power Monitoring Expert (remote code execution), EVlink Home Smart and Schneider Charge charging stations (information disclosure), and Zelio Soft 2 (remote code execution, DoS).
Phoenix Contact on Tuesday published one new advisory to inform customers about several high-severity DoS flaws introduced in PLCnext Engineer by the use of third-party components.
Germany’s CERT@VDE also posted a copy of the Phoenix Contact advisory on Patch Tuesday, along with an advisory describing the impact of the OpenSSH vulnerability dubbed regreSSHion on multiple Pepperl+Fuchs products.
“The affected devices run a SSH server that is affected by the regreSSHion vulnerability despite the fact that no user can actually log in through SSH. Attackers may exploit this vulnerability to gain root access to the device,” CERT@VDE explained.
Rockwell Automation has not published any advisories on Patch Tuesday, but it did release two advisories on Monday. They cover high-severity DoS vulnerabilities in PowerFlex 6000T and Logix products.
Last week, the company informed customers about high-severity information disclosure flaws affecting DataMosaix and Verve Asset Manager products.
| Learn More at SecurityWeek’s ICS Cybersecurity Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.  October 21-24, 2024 | Atlanta www.icscybersecurityconference.com |
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider, ABB, CISA
Related: ICS Patch Tuesday: Advisories Released by Siemens, Schneider, Rockwell, Aveva
