Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 10] Sep 23 ICS Patches by Siemens and Schneider Electric

Summary of ICS Patch Tuesday for September

Siemens and Schneider Electric’s Patch Tuesday advisories for September 2023 have been published. Siemens addressed a total of 45 vulnerabilities across its industrial products, while Schneider Electric released one advisory for a high-severity vulnerability in its IGSS product.

Siemens Vulnerabilities

Siemens published seven new advisories covering various vulnerabilities affecting their industrial products. Notable vulnerabilities include:

  • CVE-2023-3935: A critical vulnerability affecting Wibu Systems’ CodeMeter software licensing and protection technology used by several Siemens products, potentially allowing remote, unauthenticated attackers to execute arbitrary code. CVSS Score: 10.0 (Critical)
  • Vulnerabilities in QMS Automotive affecting session hijacking, malicious file uploads, information exposure, DoS attacks, and arbitrary code execution.
  • Nearly two dozen medium- and high-severity vulnerabilities affecting the BIOS provided by Insyde in the RUGGEDCOM APE1808 product family.
  • Remote code execution vulnerabilities affecting Parasolid, Teamcenter Visualization, and JT2Go through specially crafted files.
  • An ANSI C OPC UA SDK vulnerability impacting many SIMATIC and SIPLUS products, potentially causing a DoS condition via a specially crafted certificate.

Siemens has also shared that the company has been working on fixes for the Intel CPU vulnerability called “Downfall” affecting SIMATIC industrial PCs.

Schneider Electric Vulnerabilities

Schneider Electric released one advisory concerning a high-severity vulnerability in its IGSS (Interactive Graphical SCADA System) product. The flaw is described as a missing authentication issue that could allow a local attacker to change update sources, potentially leading to remote code execution when the attacker forces an update containing malicious content.

Patching in ICS Environments

Patching in ICS environments can be challenging due to the critical nature of these systems and the potential for downtime or system failures caused by patching. However, it is essential to maintain the security and reliability of ICS systems. Best practices for ICS patching include:

  • Actively searching for new patches and vulnerabilities
  • Testing patches on non-critical systems before deployment
  • Following a systematic patch process with policies for scanning, categorizing, prioritizing, and deploying patches

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.