Siemens and Schneider Electric released 25 security advisories to address more than 40 vulnerabilities affecting their industrial control system (ICS) products.

The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks.

Siemens has released 21 new advisories and updated 25 previously published advisories. The new advisories cover 36 vulnerabilities, including five that have been assigned a critical severity rating.

One of the critical flaws, with a CVSS score of 10, impacts the Desigo CC management platform and the Cerberus system. Another critical vulnerability with a CVSS score of 10 is a command injection issue affecting the Siveillance Open Interface Services (OIS) application. It can be exploited by a remote, unauthenticated attacker for code execution with root privileges.

A critical severity rating has also been assigned to a buffer overflow in the web server of APOGEE and TALON automation devices. A remote attacker can exploit the security hole for arbitrary code execution with root privileges.

An update for Siemens’ Industrial Edge app fixes a critical issue that can allow an unauthenticated attacker to change the password of any user on the system, enabling them to impersonate that user.

The last critical flaw impacts SIPROTEC 5 devices and it can allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.

Schneider Electric also published four new advisories covering a total of seven vulnerabilities. Two of the flaws impact the StruxureWare Data Center Expert product, which is designed for managing physical infrastructure. The vulnerabilities, both rated critical, could allow an attacker to remotely execute arbitrary code, which the industrial giant says could result in downtime or an outage.

Source: securityweek.com