Siemens, other vendors patch critical ICS product vulnerabilities

The US Cybersecurity & Infrastructure Security Agency (CISA) released 15 advisories covering serious vulnerabilities in industrial control products from Siemens, Mitsubishi Electric, Delta Electronics, and Softing Industrial Automation. Some of the flaws are rated with high and critical severity and can result in remote code execution.

Eleven of the 15 advisories cover vulnerabilities in Siemens products, but the number is not surprising considering how many product lines Siemens has in its portfolio and the fact that the company is an ICS vendor with a very active cybersecurity program. Four of the Siemens advisories contain critical severity flaws with CVSS scores between 9 and 10, while another three contain high severity ones with scores between 7 and 9. The rest cover medium and lower severity issues.

Remote code execution flaws could allow access to equipment, sensitive information

The first remote code execution vulnerability is an improper access control issue (CVE-2022-32257) in web service endpoints that are part of the SINEMA Remote Connect Server, a Siemens platform that enables the management of VPN tunnels between headquarters, service technicians and installed machines or plants. The flaw is rated 9.8 and impacts SINEMA Remote Connect Server versions prior to V3.2 and V3.1.

A lower severity cross-site scripting issue (CVE-2020-23064) has also been patched in the jQuery library that is part of the service and which could allow remote attackers to execute arbitrary code via the “options” element.

A high-risk vulnerability was also patched in the SINEMA Remote Connect Client component. This flaw, tracked as CVE-2024-22045, could allow attackers to access sensitive information because the product placed such information into files and directories that are accessible to unauthorized users.

A major software update was also released for the SIMATIC RF160B RFID mobile reader, which is a battery-powered handheld terminal used in many industries. The new version 2.2 update addresses more than 150 vulnerabilities discovered over the past several years, 11 of which are rated critical and could result in code execution.