Siemens and Schneider Electric patch 90 vulnerabilities in SCADA and ICS products: TIME TO WORK FOR SYSADMINS

This will be a busy week for system administrators, as technology companies Siemens and Schneider Electric announced the release of dozens of security patches to address all sorts of flaws in their products. Product managers at these companies should pay attention to these reports.

In its security alert, SIEMENS points out the correction of 36 security flaws, 13 of which make up the set of flaws baptized as NUCLEUS: 13, present in various products of the company.

These 13 vulnerabilities reside in the Nucleus TCP/IP stack, owned by Siemens. A remote threat actor could exploit these flaws in order to deploy remote code execution (RCE), denial of service (DoS), and other hacking variants.

The Siemens report also notes the detection of some high-severity flaws in access points based on the SCALANCE W1750D controller. In the worst cases, successful exploitation of these flaws would allow the deployment of DoS attacks and the leakage of potentially sensitive information.

Finally, the company corrected some disclosure flaws in Climatix POL909, SIMATIC RTLS Locating Manager and Mendix, as well as a code execution error in NX, which should be corrected as soon as possible.

On the other hand, SCHNEIDER ELECTRIC issued security patches to address a total of 17 vulnerabilities, present in products such as SCADAPack 300E, Schneider Electric Software Update, EcoStruxure Process Expert, TelevisAir Dongle BTLE, Eurotherm GUIcon and other solutions.

A specific security alert describes two high-severity vulnerabilities and a medium-severity error in GUIcon, the configuration tool for penGUIn HMI products. Successful exploitation of these flaws would allow the deployment of DoS attacks, remote code execution, and information disclosure; these flaws will not be corrected because the affected products are at the end of their useful life.

Schneider concluded his announcement by asking organizations using the TelevisAir BTLE dongle to replace their devices and thus prevent the exploitation of a Bluetooth flaw that would allow threat actors to intercept communications from a nearby location.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.