"ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities"

Siemens and Schneider Electric have recently released their Patch Tuesday advisories for November 2022.  Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory.  Of Siemens' nine advisories, three describe vulnerabilities that have been rated "critical." Four vulnerabilities, one high severity, and three critical flaws have been found in Sicam Q100 power meter devices.  Siemens noted that the vulnerabilities can allow an attacker to hijack user sessions, crash the device, or execute arbitrary code.  Another Siemens advisory noted that Scalance W1750D devices have more than a dozen vulnerabilities, including many rated "critical" that could allow an attacker to execute arbitrary code or cause a denial-of-service (DoS) condition.  Patches are not available, but the vendor has provided some mitigations.  The last Siemens advisory addressing a critical vulnerability describes a weak key protection issue in Sinumerik products.  This issue was addressed last month in Simatic products.  In another Siemens advisory, it was noted that high-severity vulnerabilities had been patched in Teamcenter Visualization and JT2Go products (DoS and remote code execution), Parasolid (remote code execution), and QMS Automotive (credentials exposure).  It was also noted that Medium-severity flaws had been found in Ruggedcom ROS devices, industrial controllers, and the Sinec network management system.  Schneider Electric only published one new advisory.  It covers three vulnerabilities that expose its NetBotz security and environmental monitors to cross-site scripting (XSS), account takeover, and clickjacking attacks.  The French industrial giant has released patches.

SecurityWeek reports: "ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities"