The Cybersecurity and Infrastructure Security Agency (CISA) announced this week the presence of security defects in AVEVA Software’s SuiteLink Server equipment and xArrow SCADA hardware. Siemens also found a code execution vulnerability in its SINEMA Remote Connect Client equipment.
Heap-based buffer overflow, null pointer dereference, and improper handling of exceptional conditions were the security defects found in AVEVA’s SuiteLink Server, usually found in the critical infrastructure sectors, including chemical, critical manufacturing, energy, food, and agriculture, and water and wastewater systems, CISA said in its advisory.
AVEVA reports that all current and previous versions of its System Platform 2020 R2 P01, InTouch 2020 R2 P01, Historian 2020 R2 P01, Communication Drivers Pack 2020 R2, Operations Integration Core 3.0, Batch Management 2020, MES 2014 R2, and all versions of Data Acquisition Servers contain the vulnerable version of the SuiteLink Server and are affected.
The British company said in its advisory that the security defects if exploited, will cause the SuiteLink Server to crash while parsing a malicious packet. Additionally, it may theoretically be possible to achieve Remote Code Execution, but no proof of concept exists. SuiteLink Clients are not affected by this vulnerability and do not need to be patched, it added.
AVEVA advised organizations to evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with affected versions of these products should apply the corresponding security update.
Cross-site scripting and improper input validation security defects that when breached can result in remote code execution have been found in the xArrow SCADA equipment.
CISA also revealed that security defects were identified in xArrow SCADA/HMI versions 7.2 and prior. Sharon Brizinov from Claroty, and Michael Heinzl reported these vulnerabilities to the security agency.
xArrow has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products who would like to see more responsible security are invited to contact xArrow customer support. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.
Siemens reported on Thursday that the latest update for its SINEMA Remote Connect Client fixes a vulnerability that could allow a local attacker to escalate privileges or even allow remote code execution under certain circumstances. Siemens has released a firmware update for SINEMA Remote Connect Client and proposes mitigations if an update is not possible.
SINEMA Remote Connect is a management platform for remote networks that enables the simple management of tunnel connections (VPN) between headquarters, service technicians, and installed machines or plants. It provides both the Remote Connect Server, which is the server application and the Remote Connect Client, which is an OpenVPN client for optimal connection to SINEMA Remote Connect Server.
Siemens identified specific workarounds and mitigations that customers can apply to reduce the risk, including not accessing links from untrusted sources and restricting access to hosts running SINEMA Remote Connect Client to trusted personnel.
The latest security weakness from Siemens adds to last week’s CISA list of security vulnerabilities that were found in the company’s equipment deployed across multiple critical infrastructure sectors.