Siemens, other vendors patch critical ICS product vulnerabilities

The US Cybersecurity & Infrastructure Security Agency (CISA) released 15 advisories covering serious vulnerabilities in industrial control products from Siemens, Mitsubishi Electric, Delta Electronics, and Softing Industrial Automation. Some of the flaws are rated with high and critical severity and can result in remote code execution.

Eleven of the 15 advisories cover vulnerabilities in Siemens products, but the number is not surprising considering how many product lines Siemens has in its portfolio and the fact that the company is an ICS vendor with a very active cybersecurity program. Four of the Siemens advisories contain critical severity flaws with CVSS scores between 9 and 10, while another three contain high severity ones with scores between 7 and 9. The rest cover medium and lower severity issues.

Remote code execution flaws could allow access to equipment, sensitive information

The first remote code execution vulnerability is an improper access control issue (CVE-2022-32257) in web service endpoints that are part of the SINEMA Remote Connect Server, a Siemens platform that enables the management of VPN tunnels between headquarters, service technicians and installed machines or plants. The flaw is rated 9.8 and impacts SINEMA Remote Connect Server versions prior to V3.2 and V3.1.

A lower severity cross-site scripting issue (CVE-2020-23064) has also been patched in the jQuery library that is part of the service and which could allow remote attackers to execute arbitrary code via the “options” element.

A high-risk vulnerability was also patched in the SINEMA Remote Connect Client component. This flaw, tracked as CVE-2024-22045, could allow attackers to access sensitive information because the product placed such information into files and directories that are accessible to unauthorized users.

A major software update was also released for the SIMATIC RF160B RFID mobile reader, which is a battery-powered handheld terminal used in many industries. The new version 2.2 update addresses more than 150 vulnerabilities discovered over the past several years, 11 of which are rated critical and could result in code execution.

A critical buffer overflow issue (CVE-2024-22039) rated with the highest possible CVSS score of 10.0 was patched in the Sinteso EN and Cerberus PRO EN Fire Protection Systems. The flaw is caused by the network communication library used in the systems improperly validating the length of X.509 certificate attributes. The flaw can be exploited by man-in-the-middle attackers who can intercept the communication of the engineering tool used in the fire system network and can result in arbitrary code execution on the underlying operating system as root.

Two other memory flaws were also patched in the same network communication library that could be exploited by man-in-the-middle attackers to crash the service. Because these flaws only impact the app, not the underlying system, they were rated with high severity.

Multiple vulnerabilities, including three critical ones that could lead to remote code execution were patched in the Siemens RUGGEDCOM APE1808 hardware platform that comes equipped with Fortigate’s Next Generation Firewall (NGFW). The flaws were inherited from and previously patched in FortiOS.

Mitsubishi Electric patched multiple critical remote code execution vulnerabilities in its MELSEC-Q/L Series controllers used for factory automation and the MELSEC Series CPU module. These vulnerabilities can be exploited remotely by sending specifically crafted packets over the network to the affected devices.

Patches for high severity industrial control system flaws

Siemens also patched high risk and lower risk flaws in SENTRON 7KM PAC3120 and SENTRON 7KM PAC3220 power monitoring devices; the Siemens Solid Edge product development tool; the SENTRON 3KC ATC6 Expansion Module Ethernet; industrial Ethernet switches from the SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG families; and the Siemens Siveillance Control Physical Security Information Management (PSIM) solution.

Delta Electronics patched several high-risk flaws (CVSS 8.8) in its DIAEnergie industrial energy management system. These are web-based vulnerabilities and include authorization bypasses, SQL injections, cross-site scripting, and a path traversal. A high-risk path traversal flaw and an information disclosure issue were fixed in Softing edgeConnector, a software module that connects SIMATIC S7 controllers to IIoT applications.