Industrial giants Siemens, Schneider Electrical, Rockwell Automation, and Aveva have launched Patch Tuesday advisories informing prospects about vulnerabilities of their ICS/OT merchandise.
Siemens printed six new advisories. One in every of them covers two vulnerabilities within the Comos plant engineering software program, together with a vital code execution flaw, and a high-severity safety bypass challenge.
Vulnerabilities have additionally been addressed in Siemens Strong Edge (distant MitM, code execution), Altair Grid Engine (code execution), Brand! 8 BM (code execution, DoS, settings tampering), and Sicam P850 (CSRF) merchandise.
Rockwell Automation printed 5 new advisories on November 11, every overlaying high-severity vulnerabilities present in varied merchandise.
The corporate knowledgeable prospects of its Verve Asset Supervisor OT safety platform that the product is affected by a high-severity entry management challenge that enables unauthorized read-only customers to tamper with different consumer accounts through an API.
Within the Studio 5000 built-in design surroundings for Logix 5000 controllers, Rockwell mounted an SSRF flaw exposing NTLM hashes, in addition to an area code execution bug.
MFA bypass and chronic XSS vulnerabilities have been patched in FactoryTalk DataMosaix Personal Cloud. As well as, flaws launched by way of third-party elements have been mounted in SIS Workstation (code execution) and FactoryTalk Coverage Supervisor (DoS).
Aveva printed two new advisories on Tuesday. One in every of them describes a high-severity persistent XSS flaw that may be exploited for privilege escalation. Commercial. Scroll to proceed studying.
The second advisory covers an Aveva Edge vulnerability that enables an attacker with learn entry to undertaking and cache recordsdata to acquire consumer passwords by brute-forcing weak hashes.
This vulnerability additionally impacts Schneider Electrical’s EcoStruxure Machine SCADA Skilled & Professional-face BLUE Open Studio merchandise. Schneider printed two new advisories this Patch Tuesday and one in all them covers the impression of this flaw.
Schneider’s second advisory describes high-severity path traversal, authentication brute-forcing, and privilege escalation points within the PowerChute Serial Shutdown UPS administration software program.
Moxa, ABB, Honeywell, and Mitsubishi Electrical didn’t publish any advisories on Patch Tuesday, however all of them knowledgeable prospects about mounted vulnerabilities within the previous days. Germany’s VDE@CERT additionally printed two advisories in current days.
Associated: ICS Patch Tuesday: Fixes Introduced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact
Associated: ICS Patch Tuesday: Rockwell Automation Leads With 8 Safety Advisories
