Security vulnerabilities were identified in critical infrastructure equipment from several manufacturers, including Siemens, Schneider Electric, and Advantech. Siemens revealed several vulnerabilities across its product lines, including SINEC NMS, SCALANCE W1750D, RUGGEDCOM ROX, SINUMERIK controllers, and several other industrial devices. The Cybersecurity and Infrastructure Security Agency (CISA) also reported Tuesday the detection of security vulnerabilities in critical infrastructure equipment from Advantech and Schneider Electric.
Siemens announced multiple vulnerabilities in its SINEC NMS critical infrastructure equipment, with the most severe possibly allowing an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions. SINEC NMS is a new generation of the Network Management System (NMS) for digital enterprises and can be used to centrally monitor, manage, and configure networks.
To cope with the latest security vulnerability, Siemens has released an update for SINEC NMS and recommends that users update to the latest version. It also advised restricting access to the affected systems, especially to port 443/tcp, to trusted IP addresses only. Claroty’s Noam Moshe carried out the coordinated disclosure to Siemens.
Multiple vulnerabilities have also been found in Scalance W1750D devices that could allow an attacker to inject commands or trigger buffer overflows. Siemens is preparing updates and recommends countermeasures for products for which updates are not planned, or are not yet available. The SCALANCE W1750D controller-based Direct Access Points support radio transmission according to the latest IWLAN standard IEEE 802.11ac Wave 2.
Among various risk mitigation measures, Siemens asked users to block access from all untrusted users to the ArubaOS Command Line Interface, and the ArubaOS web-based management interface. It also recommended blocking access to the Mobility Conductor Command Line Interface from all untrusted users. Siemens SCALANCE W1750D is a brand-labeled device from Aruba.
Siemens also alerted users of the presence of multiple vulnerabilities in RUGGEDCOM ROX devices that have been detected, ranging from command injection to filesystem traversal. An attacker could exploit these to gain root access to the affected devices. Siemens has released updates for the affected products and recommends updating to the latest versions.
RUGGEDCOM products deliver robustness and reliability that have set the standard for communications networks deployed in harsh environments. Designed to meet and exceed IEC 61850-3 protocol requirements, the RUGGEDCOM Layer 3 Multi-Service Platform line of switches and routers offers integrated router, firewall, and VPN functionalities. The RUGGEDCOM RX1400 is a multi-protocol intelligent node that combines Ethernet switching, routing, and application hosting capabilities with various wide-area connectivity options.
A denial-of-service vulnerability was found in SINUMERIK controllers that could allow an unauthenticated attacker with network access to the affected devices to cause system failure with total loss of availability. SINUMERIK CNC offers automation solutions for the shop floor, job shops, and large serial production environments. Siemens has released an update for the SINUMERIK 828D and recommends that users upgrade to the latest version. Siemens recommends specific countermeasures for products where updates are not planned or are not yet available.
Several of the company’s critical infrastructure equipment were also affected by two vulnerabilities that could allow an attacker to cause a Denial-of-Service condition via PROFINET DCP network packets under certain circumstances, Siemens said in its advisory. The precondition for this scenario is a direct layer 2 access to the affected products. PROFIBUS interfaces are not affected. Siemens has released updates for several affected products and recommends updating to the new versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
Last month, the CISA had announced the identification of various security loopholes in equipment from Siemens, predominantly used in the critical infrastructure industry across multiple industries, which can be exploited by hackers.
CISA revealed on Tuesday that the vulnerabilities found in Schneider Electric’s IGSS (Interactive Graphical SCADA System) critical infrastructure equipment included classic buffer overflow, unrestricted upload of the file with dangerous type, path traversal, and missing authentication for critical function. In its advisory, CISA said that exploitation of these vulnerabilities could allow an attacker to gain code execution, read/delete files, and create arbitrary files. Vyacheslav Moskvin, working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA.
Users have been provided an update that fixes these vulnerabilities and is available for download, Schneider Electric said in its advisory. Customers should use appropriate patching methodologies when applying these patches to their systems. “We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure,” it said.
Failure to apply the remediations provided below may risk remote code execution, which in the worst case could result in an attacker gaining access to the Windows Operating System on the machine running IGSS in production, the French company added.
Vulnerabilities were also found in Advantech’s critical infrastructure equipment deployed in the critical manufacturing, energy, and water and wastewater systems. A missing authorization vulnerability has been found in its WebAccess SCADA equipment, CISA said in an advisory. Versions 9.0.3 and prior to the WebAccess/SCADA HMI platform have been affected, it added.
The hardware is a browser-based SCADA software package for supervisory control, data acquisition, and visualization, and is used to automate complex industrial processes for situations where remote operations are needed. In addition to traditional SCADA functions, the HMI platform also features an HTML5-based intelligent dashboard that enables cross-platform, cross-browser data analysis.
The exploitation of the WebAccess/SCADA HMI platform vulnerability could allow an attacker to access project names and paths. Users have been advised to upgrade to v9.1.1 or later.
Advantech’s WebAccess equipment was found to contain heap-based and stack-based buffer overflows. With a CVSS v3 base score of 9.8, these vulnerabilities could allow an attacker to gain remote code execution when exploited. Natnael Samson, working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA.
Advantech has released Version 9.1.1 to address the stack-based buffer overflow vulnerability. It recommended that users directly add the remote access code to avoid being attacked by unknown requests to deal with the heap-based buffer overflow vulnerability, the CISA advisory said. This is the remote access code established during the installation of the Advantech WebAccess SCADA software on the OPC Server computer.
The access code entered must match the remote access code established during installation on the OPC Server, to prevent unauthorized users from accessing the OPC Server data using the Advantech WebAccess SCADA OPC Service, it added.